About AWS CloudTrail and Alert Logic

AWS CloudTrail is an Amazon Web Services (AWS) service that logs all of your AWS account activity. CloudTrail records actions taken by a user, role, or AWS service as events. Recorded actions include those taken in the AWS Management Console, AWS Command Line Interface, and AWS SDKs and APIs.

AWS CloudTrail is enabled on your AWS account when you create it. AWS allows you to create additional trails to record events in specific regions and deliver them to a specified S3 bucket. For more information, see the AWS document How CloudTrail Works.

How Alert Logic products work with AWS CloudTrail

Alert Logic utilizes SNS and SQS to ingest CloudTrail data from the S3 bucket that stores it. To do this, all that is needed is the standard cross-account IAM role that was configured in the initial steps of the deployment process. From here, Alert Logic utilizes existing SNS topics and SQS queues in the account, or creates them via automation if necessary. If no active CloudTrail is found, Alert Logic will attempt to enable an existing one. However, if no CloudTrail exists, one will need to be created according to the instructions in the deployment process.

AWS CloudTrail setup

When you create an AWS deployment in the Alert Logic console and set up your IAM roles with correct permissions, Alert Logic automatically starts collecting CloudTrail logs. Automatic collection requires that you provide access to your:

  • S3 bucket that stores your CloudTrail logs
  • SNS topic that receives notifications when log files are delivered
  • SQS queue subscribed to the SNS topic for the CloudTrail

Alert Logic's backend services will also need access to the CloudTrail itself during setup. If no trail exists, Alert Logic will create a new one. If needed, Alert Logic will update the trail to enable log file validation, set the SNS topic which receives the notifications from AWS CloudTrail, and then start logging.

Continual asset monitoring

When you create an AWS deployment in the Alert Logic console, you can configure the deployment with centralized AWS CloudTrail log collection to provide continual asset updates.

AWS allows you to use a separate, dedicated account with AWS CloudTrail enabled to centralize your AWS CloudTrail log collection, which requires a second IAM role to allow Alert Logic to access the AWS receiving account that collects AWS CloudTrail data. For more information, see Should you centralize CloudTrail log collection?.

Log Management

You can create an AWS CloudTrail that Alert Logic can use to collect, store, and make searchable for any type of operational activity. For more information, see Log Sources.

Incident management

Amazon GuardDuty is a continuous security monitoring service that requires no customer-managed hardware or software. GuardDuty analyzes and processes VPC Flow Logs and CloudTrail event logs. GuardDuty uses security logic and AWS usage statistics techniques to identify unexpected and potentially unauthorized and malicious activity, such as:

  • Escalations of privileges
  • Uses of exposed credentials
  • Communication with malicious IPs, URLs, or domains

For more information, see Integrate Amazon GuardDuty Findings into Alert Logic Incidents.

Compliance goals

Alert Logic uses CloudTrail data to identify potential compliance issues or threats through our analytics and reporting features.

The security and compliance goals of your organization could require you to create and configure additional trails. For example, you must configure separate AWS CloudTrail logs for discovery of your AWS assets, and for Log Management.

CloudTrail configuration monitoring and updates

Alert Logic periodically checks for CloudTrail configuration changes in your environment and attempts to fix any issues. You can use the information in the following table to understand what happens automatically when your configuration changes and troubleshoot issues that cannot be detected and fixed automatically.

If this happens Alert Logic does this
CloudTrail configuration that Alert Logic used is deleted Reinstalls a new CloudTrail or reuses an existing one
S3 bucket for CloudTrail collection is reassigned Picks this configuration and reads messages from the new bucket
S3 bucket inline policy is changed Alert Logic will attempt to validate the resource policy attached to the bucket but will not make any changes to it.
S3 bucket is deleted Creates a default bucket named “outcomesbucket-<AWS account ID>”.
SNS topic is changed Picks up this configuration. The SQS queue is subscribed to the new topic.
SNS topic inline policy is changed Validates the SNS topic policy. If the policy does not have the required permissions, Alert Logic will attempt to apply a default policy to the SNS topic.
SNS topic is deleted Recreates a default topic, “outcomestopic”.
SQS subscription is removed Alert Logic resubscribes the queue to the topic when the cross-account role has the permissions required to do so.
SQS inline policy is changed Validates the SQS queue policy. If the policy does not have the required permissions, Alert Logic will attempt to apply a default policy to the SQS queue.
SQS is deleted Recreates the queue