Qiita - 人気の記事混乱しました。AWS MCP ServersとAWS MCP Serverの違いを徹底解説
https://qiita.com/sh_fukatsu/items/93719d61d3251df07a59?utm_campaign=popular_items&utm_medium=feed&utm_source=popular_items
Tedi HeriyantoThreat Hunting AWS CloudTrail: From Threat Intelligence to Proactive Risk Reduction:https://medium.com/@suryaraj78425/threat-hunting-aws-cloudtrail-from-threat-intelligence-to-proactive-risk-reduction-cc009e8801bf
【AWS】CloudTrail LakeとCloudWatch Logs Insightsの使い分け方針
https://qiita.com/tsurunoqiita/items/f032287b713338f34ccb?utm_campaign=popular_items&utm_medium=feed&utm_source=popular_items
#qiita #AWS #CloudWatch #Cloudtrail #CloudWatch_Logs #CloudTrail_Lake
TamásI wanted to automatically disable an IAM user when it does something suspicious. Since this IAM user is used by a script I know that when it deviates that is a good indicator that it was compromised and I need to investigate.
How hard could it be?
Well, it turned out to be a frustrating experience. CloudTrail records events done by users, so this should be easy to setup. But then I started to encounter problems:
* Only the first CloudTrail event is free, so I did not want to create more than one trail
* CloudTrail sends events to EventBridge but only for the current region, which is not enough
I have an organizational trail in the management account. Let's see how easy it is to send these events into a member account!
* CloudTrail can send events to a CloudWatch log then I could set up a subscription filter. This worked for a PoC but ultimately there is a limit of 2 for subscription filters for a log group. So this was a no-go
* Otherwise it writes to S3, so I had to have a Lambda reading the objects as CloudTrail writes them
At this point I had a Lambda that got all CloudTrail events and filters out the interesting ones: ones with AccessDenied error, GetCallerIdentity, and ConsoleLogin. That should be a good start.
EventBus Rules can send events based on a filter, so forwarding these events into an EventBus seems like a good idea. So so far the chain is: CloudTrail => S3 => Lambda => EventBus.
But how can I send these events to the member account? Well, an EventBus Rule, of course. So I created an EventBus in the member account.
Next issue: a CloudFormation stack can't create an EventBus Rule in a different region. Interestingly, it is possible to create *cross-account* but not cross-region. So I needed an EventBus in the target region as well and set up a Rule to forward events there.
Then the very last step is to set up a Rule to filter events for the IAM user(s) and set up a CloudWatch alarm that calls a Lambda that attaches the DenyAll policy to the user.
Since I wanted everything managed by CloudFormation I ended up with an enormous amount of stacks:
* (mgmt acc us-east-1) CloudTrail + Lambda + EventBus
* (mgmt acc us-east-1) EventBus Rule to forward events to the member account
* (member acc us-east-1) EventBus to receive events from the mgmt account
* (member acc us-east-1) EventBus Rule to forward events to the regional EventBus
* (member acc eu-west-1) The target stack with the IAM users and an EventBus to receive events to
What makes it a particularly annoying experience is that there are so many small limitations that make a simpler solution impossible:
* CloudTrail should support filtering by events so that the whole management account => member account part could be saved
* Or: the default EventBus should receive *all* CloudTrail events not just ones for the current region
* EventBus Rule should be allowed to be cross-region. That would have saved me one EventBus
* EventBridge Pipes don't support SNS as a source and also it's not clear if that supports cross-region and cross-account pipes
I wrote about my frustrations in this article: [https://advancedweb.hu/cloudtrails-horrible-developer-experience/](https://advancedweb.hu/cloudtrails-horrible-developer-experience/).
Overall, I'm fairly happy with this solution, but I feel that it would be so much easier if AWS supported some basic features around CloudTrail.
Originally published [on my blog](https://advancedweb.hu/shorts/how-hard-it-is-to-disable-an-iam-user-when-it-does-something-suspicious/)
CFN UpdatesNew AWS::CloudTrail::Dashboard
Use the Dashboard resource to specify a CloudTrail Lake custom dashboard. A custom dashboard can have up to 10 widgets. For more information, see CloudTrail Lake dashboards in the AWS CloudTrail User Guide.
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cloudtrail-dashboard.html #cloudtrail #cloudformation
Detecting AWS Account Compromise: Key Indicators in CloudTrail Logs for Stolen API Keys: https://thehackernews.com/2024/08/detecting-aws-account-compromise-key.html
Schrank 
🐘Dotenv doesn’t work in #lamda, but because it is during init, only white page. And because it is during init, no (symfony) lig in #CloudTrail 🥳🥳 #bref #symfony #CloudWatch
Cc @beberlei @BrocksiNet thanks!
Sekoia.ioOur latest blog post provides an introduction to #AWS detection engineering. We present the main log sources #CloudTrail #FlowLogs #GuardDuty for AWS, as well as some relevant events that defenders could use to detect attackers
