Claude Platform on AWS

Anthropic의 Claude Platform이 AWS 계정을 통해 네이티브 플랫폼 경험과 기능을 제공한다. AWS 인증, 통합 청구, CloudTrail 감사 로깅을 활용해 별도의 Anthropic 계정이나 API 키 없이도 접근 가능하며, 기존 AWS 보안 및 접근 제어 정책을 그대로 적용할 수 있다. 데이터는 Anthropic이 AWS 외부에서 처리하며, AWS 내 데이터 처리 및 보안이 필요한 경우에는 Amazon Bedrock의 Claude 사용이 권장된다. 이 플랫폼은 AWS 환경에서 Anthropic의 최신 기능과 개발 도구를 빠르게 활용하려는 고객에게 적합하다.

https://aws.amazon.com/claude-platform/

#anthropic #aws #claude #cloudtrail #iam

混乱しました。AWS MCP ServersとAWS MCP Serverの違いを徹底解説
https://qiita.com/sh_fukatsu/items/93719d61d3251df07a59?utm_campaign=popular_items&utm_medium=feed&utm_source=popular_items

#qiita #AWS #Cloudtrail #MCP #SOP #MCPサーバー

Threat Hunting AWS CloudTrail: From Threat Intelligence to Proactive Risk Reduction:https://medium.com/@suryaraj78425/threat-hunting-aws-cloudtrail-from-threat-intelligence-to-proactive-risk-reduction-cc009e8801bf

#threathunting #threatintelligence #aws #cloudtrail

【AWS】CloudTrail LakeとCloudWatch Logs Insightsの使い分け方針
https://qiita.com/tsurunoqiita/items/f032287b713338f34ccb?utm_campaign=popular_items&utm_medium=feed&utm_source=popular_items

#qiita #AWS #CloudWatch #Cloudtrail #CloudWatch_Logs #CloudTrail_Lake

I wanted to automatically disable an IAM user when it does something suspicious. Since this IAM user is used by a script I know that when it deviates that is a good indicator that it was compromised and I need to investigate.

How hard could it be?

Well, it turned out to be a frustrating experience. CloudTrail records events done by users, so this should be easy to setup. But then I started to encounter problems:

* Only the first CloudTrail event is free, so I did not want to create more than one trail
* CloudTrail sends events to EventBridge but only for the current region, which is not enough

I have an organizational trail in the management account. Let's see how easy it is to send these events into a member account!

* CloudTrail can send events to a CloudWatch log then I could set up a subscription filter. This worked for a PoC but ultimately there is a limit of 2 for subscription filters for a log group. So this was a no-go
* Otherwise it writes to S3, so I had to have a Lambda reading the objects as CloudTrail writes them

At this point I had a Lambda that got all CloudTrail events and filters out the interesting ones: ones with AccessDenied error, GetCallerIdentity, and ConsoleLogin. That should be a good start.

EventBus Rules can send events based on a filter, so forwarding these events into an EventBus seems like a good idea. So so far the chain is: CloudTrail => S3 => Lambda => EventBus.

But how can I send these events to the member account? Well, an EventBus Rule, of course. So I created an EventBus in the member account.

Next issue: a CloudFormation stack can't create an EventBus Rule in a different region. Interestingly, it is possible to create *cross-account* but not cross-region. So I needed an EventBus in the target region as well and set up a Rule to forward events there.

Then the very last step is to set up a Rule to filter events for the IAM user(s) and set up a CloudWatch alarm that calls a Lambda that attaches the DenyAll policy to the user.

Since I wanted everything managed by CloudFormation I ended up with an enormous amount of stacks:

* (mgmt acc us-east-1) CloudTrail + Lambda + EventBus
* (mgmt acc us-east-1) EventBus Rule to forward events to the member account
* (member acc us-east-1) EventBus to receive events from the mgmt account
* (member acc us-east-1) EventBus Rule to forward events to the regional EventBus
* (member acc eu-west-1) The target stack with the IAM users and an EventBus to receive events to

What makes it a particularly annoying experience is that there are so many small limitations that make a simpler solution impossible:

* CloudTrail should support filtering by events so that the whole management account => member account part could be saved
* Or: the default EventBus should receive *all* CloudTrail events not just ones for the current region
* EventBus Rule should be allowed to be cross-region. That would have saved me one EventBus
* EventBridge Pipes don't support SNS as a source and also it's not clear if that supports cross-region and cross-account pipes

I wrote about my frustrations in this article: [https://advancedweb.hu/cloudtrails-horrible-developer-experience/](https://advancedweb.hu/cloudtrails-horrible-developer-experience/).

Overall, I'm fairly happy with this solution, but I feel that it would be so much easier if AWS supported some basic features around CloudTrail.

#aws #cloudtrail #eventbridge

Originally published [on my blog](https://advancedweb.hu/shorts/how-hard-it-is-to-disable-an-iam-user-when-it-does-something-suspicious/)

AWS で必要最小限の権限、を求められた時
https://qiita.com/kazuneet/items/af9e30895585bd005f6e?utm_campaign=popular_items&utm_medium=feed&utm_source=popular_items

#qiita #AWS #Cloudtrail

New AWS::CloudTrail::Dashboard

Use the Dashboard resource to specify a CloudTrail Lake custom dashboard. A custom dashboard can have up to 10 widgets. For more information, see CloudTrail Lake dashboards in the AWS CloudTrail User Guide.
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cloudtrail-dashboard.html #cloudtrail #cloudformation

AWSコンソールのサインイン履歴を検索・抽出する
https://qiita.com/gaichi/items/9cdaa51e8cda39b8056c?utm_campaign=popular_items&utm_medium=feed&utm_source=popular_items

#qiita #AWS #glue #Cloudtrail #監査 #Athena

Detecting AWS Account Compromise: Key Indicators in CloudTrail Logs for Stolen API Keys: https://thehackernews.com/2024/08/detecting-aws-account-compromise-key.html

#aws #cloudtrail #cloudsecurity