What is CloudTrail and how can it be disrupted?

With AWS CloudTrail, you can monitor your AWS deployments in the cloud by getting a history of AWS API calls for your account, including API calls made via the AWS Management Console, the AWS SDKs, the command line tools, and higher-level AWS services. You can also identify which users and accounts called AWS APIs for services that support CloudTrail, the source IP address the calls were made from, and when the calls occurred. You can integrate CloudTrail into applications using the API, automate trail creation for your organization, check the status of your trails, and control how administrators turn CloudTrail logging on and off.

You can check if the Cloudtrail is enabled using the following command

aws cloudtrail describe-trails

If there are certain Trails enabled, you can use the following commands to stop a particular trail and delete the logs from the trails.

aws cloudtrail stop-logging --name [my-trail]

To delete a trail, use the following command

aws cloudtrail delete-trail --name [my-trail]

In some cases, deleting or stopping the cloudtrail logging might raise some red flags and raise suspicions. In these situations, we can update the trail to limit the logging to the default region where the Trail was created. This will give us a few other regions where we can perform the exploitation.

aws cloudtrail update-trail --name [my-trail] --no-is-multi-region-trail --no-include-global-service-events

This will add the flags to the Cloudtrail which will disable logging on all the other regions except the default region. You can find some other techniques to disrupt CloudTrail logs from here.

Remediation

There are various other ways to disrupt the Cloudtrail logs which you can find on the internet. This article will be focusing on safeguarding the AWS account from such attempts to disrupt logging.

We will be creating a lambda function that will automatically re-enable the CloudTrail if the ‘StopLogging’ operation is called through the API. It functions by using a Lambda python function with CloudWatch event trigger configured with an SNS to send an email notification when some of the operations are performed on the account.

The function will look for the following operations on the account

  • “StopLogging”
  • “StartLogging”
  • “UpdateTrail”
  • “DeleteTrail”
  • “CreateTrail”
  • “RemoveTags”
  • “AddTags”
  • “PutEventSelectors”

The steps involved in setting up this function will be discussed here,

Create a new Trail and enable it. We will be using this trail to test our function. You can create a trail for S3 or Lamda events and then create or specify an existing bucket to store the logs. After you finish, make sure that the trail is running.

After the Trail is running, you can create the other components for the function using the CloudFormation template that you can download from here. The ‘readme’ for the template is available here.

You can download the Lambda function from here. The ZIP file contains a python script. We would need to create an S3 bucket and move this ZIP folder into the S3 bucket.

After uploading the ZIP file into the bucket, you can start the CloudFormation and use the ‘CloudTrailMonitor.json’ as the template. Specify the following values while launching the template,

SNSTopicName : Enter a unique name for the SNS topic that will be created
SNSSubscriptions : Enter an email address that will subscribe to the SNS topic created above.
LambdaTimeout : This is the lambda function timeout value in seconds and the default is 30 seconds.
LambdaS3Bucket : Name of the S3 bucket where the Lambda function zip file is stored.
LambdaS3Key : Name of the lambda function zip file. This is the full path to the S3 object, please include the prefix as well. For example, “/dir1/dir2/lambdafunction.zip”.

If the status in the CloudFormation console reads ‘CREATE_COMPELTE’, all the components are configured correctly.

You can verify the components in Lambda, CloudWatch event rules, SNS.

Your Lambda function should be created and it should look like this

Your CloudWatch rule should be created and it would look like this

The Lambda function is now functional and every time a CloudTrail is stopped, it automatically triggers the lambda function which in turn re-enables the CloudTrail in a few seconds. Some additional setup has to be made to enable email notifications through SNS. Go to the SNS console, Open the topics and you should be able to find a topic created by the cloud formation template, click on Actions -> Subscribe to the topic. Select ‘Email-JSON’ in the protocol and enter your email address in the endpoint field. You should be receiving an email from SNS with a Subscribe URL. Copy this URL and paste it in Actions -> Confirm a Subscription. Open the Subscriptions tab and click on Confirm Subscription and the subscription should show the endpoint email address. That’s all that you need to do.

We will now test this functionality. We will use the following command to stop the ‘Logging’ trail

aws cloudtrail stop-logging --name Logging

This command will stop the CloudTrail for a few seconds, after which the Lambda kicks in and re-enables the CloudTrail. We also get an email alert in the endpoint email address that you specified.

 

This setup will act as a first level defense when someone tries to stop or disrupt the logs in CloudTrail on the account.

Thank you for reading! – Setu Parimi & Steve George

Sign up for the blog directly here.

Check out our professional services here.

Feedback is welcome! For professional services, fan mail, hate mail, or whatever else, contact [email protected]

Categories: Uncategorized

0 Comments

Leave a Reply

%d bloggers like this: