About AWS CloudTrail and Alert Logic
AWS CloudTrail is an Amazon Web Services (AWS) service that logs all of your AWS account activity. CloudTrail records actions taken by a user, role, or AWS service as events. Recorded actions include those taken in the AWS Management Console, AWS Command Line Interface, and AWS SDKs and APIs.
AWS CloudTrail is enabled on your AWS account when you create it. AWS allows you to create additional trails to record events in specific regions and deliver them to a specified S3 bucket. For more information, see the AWS document How CloudTrail Works.
How Alert Logic products work with AWS CloudTrail
Alert Logic utilizes SNS and SQS to ingest CloudTrail data from the S3 bucket that stores it. To do this, all that is needed is the standard cross-account IAM role that was configured in the initial steps of the deployment process. From here, Alert Logic utilizes existing SNS topics and SQS queues in the account, or creates them via automation if necessary. If no active CloudTrail is found, Alert Logic will attempt to enable an existing one. However, if no CloudTrail exists, one will need to be created according to the instructions in the deployment process.
AWS CloudTrail setup
When you create an AWS deployment in the Alert Logic console and set up your IAM roles with correct permissions, Alert Logic automatically starts collecting CloudTrail logs. Automatic collection requires that you provide access to your:
- S3 bucket that stores your CloudTrail logs
- SNS topic that receives notifications when log files are delivered
- SQS queue subscribed to the SNS topic for the CloudTrail
Alert Logic's backend services will also need access to the CloudTrail itself during setup. If no trail exists, Alert Logic will create a new one. If needed, Alert Logic will update the trail to enable log file validation, set the SNS topic which receives the notifications from AWS CloudTrail, and then start logging.
Continual asset monitoring
When you create an AWS deployment in the Alert Logic console, you can configure the deployment with centralized AWS CloudTrail log collection to provide continual asset updates.
AWS allows you to use a separate, dedicated account with AWS CloudTrail enabled to centralize your AWS CloudTrail log collection, which requires a second IAM role to allow Alert Logic to access the AWS receiving account that collects AWS CloudTrail data. For more information, see Should you centralize CloudTrail log collection?.
Log Management
You can create an AWS CloudTrail that Alert Logic can use to collect, store, and make searchable for any type of operational activity. For more information, see Log Sources.
Incident management
Amazon GuardDuty is a continuous security monitoring service that requires no customer-managed hardware or software. GuardDuty analyzes and processes VPC Flow Logs and CloudTrail event logs. GuardDuty uses security logic and AWS usage statistics techniques to identify unexpected and potentially unauthorized and malicious activity, such as:
- Escalations of privileges
- Uses of exposed credentials
- Communication with malicious IPs, URLs, or domains
For more information, see Integrate Amazon GuardDuty Findings into Alert Logic Incidents.
Compliance goals
Alert Logic uses CloudTrail data to identify potential compliance issues or threats through our analytics and reporting features.
CloudTrail configuration monitoring and updates
Alert Logic periodically checks for CloudTrail configuration changes in your environment and attempts to fix any issues. You can use the information in the following table to understand what happens automatically when your configuration changes and troubleshoot issues that cannot be detected and fixed automatically.
If this happens | Alert Logic does this |
---|---|
CloudTrail configuration that Alert Logic used is deleted | Reinstalls a new CloudTrail or reuses an existing one |
S3 bucket for CloudTrail collection is reassigned | Picks this configuration and reads messages from the new bucket |
S3 bucket inline policy is changed | Alert Logic will attempt to validate the resource policy attached to the bucket but will not make any changes to it. |
S3 bucket is deleted | Creates a default bucket named “outcomesbucket-<AWS account ID>”. |
SNS topic is changed | Picks up this configuration. The SQS queue is subscribed to the new topic. |
SNS topic inline policy is changed | Validates the SNS topic policy. If the policy does not have the required permissions, Alert Logic will attempt to apply a default policy to the SNS topic. |
SNS topic is deleted | Recreates a default topic, “outcomestopic”. |
SQS subscription is removed | Alert Logic resubscribes the queue to the topic when the cross-account role has the permissions required to do so. |
SQS inline policy is changed | Validates the SQS queue policy. If the policy does not have the required permissions, Alert Logic will attempt to apply a default policy to the SQS queue. |
SQS is deleted | Recreates the queue |