AWS CloudTrail cheat sheet
--
Incident Response in AWS made easy (easier 😉)
Our cloud incident response trainings are now available!
As enthusiastic cloud incident responders we’ve had our fair share of AWS incidents. If you say incident response and AWS you say CloudTrail, it’s the most important source for your investigations. Therefore we’ve decided to develop a cheat sheet for ‘interesting’ CloudTrail events that we’ve come across during incidents. Use this information to perform faster triage and identify ‘interesting’ activity in CloudTrail logging.
Disclaimer: The AWS cheat sheet we’ve developed is an attempt to document CloudTrail events that are ‘interesting’ for incident responders or detection engineers. It is by no means a definitive guide to finding all malicious activity.
CloudTrail
CloudTrail records two types CloudTrail of events, from the official documentation:
- Management events that capture control plane actions on resources, such as creating or deleting Amazon Simple Storage Service (S3) buckets.
- Data events that capture data plane actions within a resource, such as reading or writing an Amazon S3 object.
The logged evenst are both calls made through the GUI and the API. An example CloudTrail event from the CloudTrail interface is shown below:
This event contains a lot more details if you open it, the format is .json.For the cheat sheet the Event name
field is used to uniquely identify events.
Methodology
How did we create this magic sheet you might ask. It’s a combination of the following:
- AWS Incident Response experience, based on real life incidents where we investigated incidents using CloudTrail [1][2][3][4];
- Conducting several known attacks in a test environment using Stratus;
- Using our collective brain power to think of scenarios and events that were missing from the previous two steps.
Tip: We love to hear from you! If you think we should add certain Event names
please create an issue on the GitHub page for this cheat sheet.
Cheat Sheet
The cheat sheet consists of the different Mitre ATT&CK phases and the Event names
of interest.