Skip to main content

AWS CloudTrail

Preparation

Before creating a trail for ingestion by AE, an S3 bucket for CloudTrail event storage and an SNS topic and subscription for event delivery notifications must be designated and/or created. Please refer to AWS Prerequisites before continuing further.

CloudTrail Log Encryption (optional)

If CloudTrail log encryption is needed, navigate to Key Management Service (KMS) > Customer managed keys and click on Create a key.

NOTE: The KMS key must be created in the same region as the S3 bucket used for CloudTrail event storage.

Select Symmetric as the Key type and Encrypt and decrypt for Key usage. Click Next.

kms-key-create-1

Input an Alias for the key and add any Description and/or Tags. Click Next.

kms-key-create-2

Select any Key adminstrators and enable Key deletion per your requirements. Click Next.

Select any IAM users/roles for This account or Other AWS accounts that you wish to grant access to this key for cryptographic operations. Click Next.

Finally, under Key policy, append the following policies to allow CloudTrail to encrypt and AlphaSOC to decrypt logs.

        {
            "Sid": "Allow AlphaSOC to decrypt using the key",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::610660487454:root"
            },
            "Action": [
                "kms:Decrypt",
                "kms:DescribeKey"
            ],
            "Resource": "*"
        },
        {
            "Sid": "Allow CloudTrail use the key",
            "Effect": "Allow",
            "Principal": {
                "Service": "cloudtrail.amazonaws.com"
            },
            "Action": [
                "kms:Decrypt",
                "kms:DescribeKey",
                "kms:GenerateDataKey*"
            ],
            "Resource": "*"
        }

kms-key-create-3

Finally click Finish.

CloudTrail

To create a trail, navigate to CloudTrail > Create trail.

Input a Trail name, for Storage location select Use existing S3 bucket and enter the appropriate bucket you designated and/or created in AWS Prerequisites.

If log file encryption will not be used, deselect Enabled for Log file SSE-KMS encryption. Otherwise, for Customer managed AWS KMS key select Existing and input the AWS KMS alias specified during KMS key creation.

Click Next.

cloudtrail-create-1

Under Event type, choose both Management events and Data events. A Data events configuration interface will appear. Select S3 from the Data event type pulldown menu. Click Next.

cloudtrail-create-2

Upon reviewing, click Create trail.