SYS 360 Lab 9 1.2: AWS Security Logging and Monitoring - JadenGil/Jaden-Tech-Journal GitHub Wiki

Creating a CloudTrail trail with CloudWatch Logs enabled

For this lab, we will want to access CloudTrail:

image

We want to select "Event History", change the Lookup attributes tab to "Event Source", search for cloudformation.amazonaws.com, and select the "Create Stack" action:

image

Note from lab: The event history exists by default in each Region. The history shows events from the last 90 days for the Region that you are viewing. This view is limited to management events with create, modify, and delete API calls and account activity. To maintain a record of account activity that extends past 90 days, including all management events with the option to include data events and read-only activity, you need to configure a CloudTrail trail. You will do this in the next step.

Now we want to go to "Trails" and select "Create Trails"

image

And we want the settings to be the following:

image

On the next page we can keep the default settings

Note form lab: This is where you would complete the process to create the trail. However, the user that you are logged in as does not have the necessary permissions to create a CloudTrail with CloudWatch Logs enabled. This is because of the security restrictions placed on AWS accounts that are used for labs.

We can now cancel the process.

LabCloudTrail already exists however so we can take the time to analyze that.

Creating an SNS topic and subscribing to it\

Navigate to SNS:

image

Then select "Topics" and "Create Topic"

image

Add the following settings and create:

image

Now within our new topic select "Create Subscription":

image

Use the following settings and create:

image

Email notification:

image

Once you receive the email notification select confirm subscription in the email:

image

Creating an EventBridge rule to monitor security groups

Now we want to access the amazon EventBridge:

image

We can then scroll down and select "Create Rule"

image

Leave the settings default on the first page after naming it. On the second page set the following settings:

image

On the third page use the following settings:

image

When configuring input transformer enter {"name":"$.detail.requestParameters.groupId","source":"$.detail.eventName","time":"$.time","value":"$.detail"} into "Input Path"

Then enter "The <source> API call was made against the <name> security group on <time> with the following details:" " <value> " In the "Template" field

Then select next, next, create rule.

We then want to go to EC2 and edit the instance "LabInstance" And then edit inbound rules on the SecGroup for LabInstance by adding an option for SSH.

Then go back to cloudtrail event history and select the following:

image

We will also have gotten an email notification:

image

Creating a CloudWatch alarm based on a metrics filter

Navigate to CloudWatch and select Log groups then CloudTrailLogGroup and under actions Create metric filter:

image

Copy this into filter pattern: { ($.eventName = ConsoleLogin) && ($.errorMessage = "Failed authentication") }

Then on the next page enter the following settings:

image

Then hit next twice and create the filter.

Then in metric filtered check the box next to ConsoleLoginErrors and select Create Alarm:

image

Then under conditions select the following settings:

image

Use the following for configure actions:

image

Name the alarm "FailedLogins" and create the alarm

Now navigate to IAM and select "Users" and then select "Test"

Then copy the login link and copy it into a new tab and fail the login at least 3 times before reestablishing the connection.

we will then receive another email:

image

Querying CloudTrail logs by using CloudWatch Logs Insights

Deliverable 1:

image

Deliverable 2:

image

⚠️ **GitHub.com Fallback** ⚠️