CloudTrail
Preparation
Before creating a trail for ingestion by AlphaSOC, you must designate or create an AWS S3 bucket for CloudTrail event storage and an SQS queue. Please refer to Collecting data: Amazon S3 before continuing further.
CloudTrail Log Encryption (optional)
If CloudTrail log encryption is needed, navigate to Key Management Service (KMS) > Customer managed keys and click on Create a key.
NOTE: The KMS key must be created in the same region as the S3 bucket used for CloudTrail event storage.
Select Symmetric as the Key type and Encrypt and decrypt for Key usage. Click Next.
Input an Alias for the key and add any Description and/or Tags. Click Next.
Select any Key administrators and enable Key deletion per your requirements. Click Next.
Select any IAM users/roles for This account or Other AWS accounts that you wish to grant access to this key for cryptographic operations. Click Next.
Finally, under Key policy, append the following policy to allow CloudTrail to encrypt logs.
{
"Sid": "Allow CloudTrail use the key",
"Effect": "Allow",
"Principal": {
"Service": "cloudtrail.amazonaws.com"
},
"Action": ["kms:Decrypt", "kms:DescribeKey", "kms:GenerateDataKey*"],
"Resource": "*"
}
After clicking Finish, add decrypt permission to the IAM role
responsible for transferring data to AlphaSOC, as described in
Collecting data: Amazon S3.
CloudTrail
To create a trail, navigate to CloudTrail > Trails > Create trail.
Input a Trail name, for Storage location select Use existing S3 bucket and enter the appropriate bucket you designated and/or created.
If log file encryption will not be used, deselect Enabled for Log file SSE-KMS encryption. Otherwise, for Customer managed AWS KMS key select Existing and input the AWS KMS alias specified during KMS key creation.
Click Next.
Under Event type, choose both Management events and Data events. A Data events configuration interface will appear. Select S3 from the Data event type pulldown menu. Click Next.
Upon reviewing, click Create trail.