AWS CloudTrail
  • 29 Oct 2023
  • 2 Minutes to read
  • Contributors
  • Dark
    Light
  This documentation version is deprecated, please click here for the latest version.

AWS CloudTrail

  • Dark
    Light

Article summary

AWS CloudTrail logs allow you to monitor AWS deployments. CloudTrail logs can provide granular visibility into AWS instances and can be used within D&R rules to identify AWS abuse.

This adapter allows you to ingest AWS CloudTrail events via either an S3 bucket or SQS message queue.

CloudTrail events can be addressed in LimaCharlie as the aws platform.

Adapter Deployment

All adapters support the same client_options, which you should always specify if using the binary adapter or creating a webhook adapter. If you use any of the Adapter helpers in the web app, you will not need to specify these values.

  • client_options.identity.oid: the LimaCharlie Organization ID (OID) this adapter is used with.
  • client_options.identity.installation_key: the LimaCharlie Installation Key this adapter should use to identify with LimaCharlie.
  • client_options.platform: the type of data ingested through this adapter, like text, json, gcp, carbon_black, etc.
  • client_options.sensor_seed_key: an arbitrary name for this adapter which Sensor IDs (SID) are generated from, see below.

Adapter-specific Options

CloudTrail logs can be collected via a cloud-to-cloud Adapter, or via the CLI Adapter. Furthermore, within each option, there is a choice of collecting logs from an S3 bucket or an SQS message queue.

Cloud-to-Cloud Adapter

Within the LimaCharlie web application, you can create an AWS CloudTrail Cloud Connector using the + Add Sensor option.

image.png

After providing an Installation Key, you will be guided through connecting either an S3 bucket or SQS queue to ingest AWS CloudTrail events.

Collecting AWS CloudTrail Logs via an S3 Bucket

If collecting CloudTrail logs via an S3 bucket, you will need the following parameters:

  • bucket_name - The name of the S3 bucket holding the data)
  • secret_key - The API key for AWS that has access to the respective bucket.
  • access_key - The AWS access key for the API key

The following sample configuration can be used to create an S3 CLI Adapter for AWS CloudTrail events:

s3:
  client_options:
    hostname: aws-cloudtrail-logs
    identity:
      installation_key: <INSTALLATION_KEY>
      oid: <OID>
    platform: aws
    sensor_seed_key: super-special-seed-key
  bucket_name: <S3_BUCKET_NAME>
  secret_key: <S3_SECRET_KEY>
  access_key: <S3_ACCESS_KEY>

Collecting AWS CloudTrail Logs via an SQS Queue

If collecting CloudTrail logs via an SQS queue, you will need the following parameters:

  • secret_key - The API key for AWS that has access to the respective bucket.
  • access_key - The AWS access key for the API key
  • region - The AWS region where the SQS instance lives
  • queue_url - The URL to the SQS instance

The following sample configuration can be used to create an SQS CLI Adapter for AWS CloudTrail events:

sqs:
  client_options:
    hostname: aws-cloudtrail-logs
    identity:
      installation_key: <INSTALLATION_KEY>
      oid: <OID>
    platform: aws
    sensor_seed_key: super-special-seed-key
  region: <SQS_REGION>
  secret_key: <SQS_SECRET_KEY>
  access_key: <SQS_ACCESS_KEY>
  queue_url: <SQS_QUEUE_URL>

Was this article helpful?

What's Next