Securing the cloud: Expert tips for analyzing AWS CloudTrail logs

渗透技巧 9个月前 admin
188 0 0

Securing the cloud: Expert tips for analyzing AWS CloudTrail logs

We’re going to navigate through the Amazon Web Services (AWS) ecosystem. Our mission is to unpack the complexities of the logs EC2 and S3, two of the most used AWS services. We’ll diligently go through, comprehend, analyze, and seamlessly embed CloudTrail directly into your AWS environment.
我们将浏览 Amazon Web Services (AWS) 生态系统。我们的任务是解开日志 EC2 和 S3 的复杂性,这是两种最常用的 AWS 服务。我们将认真研究、理解、分析 CloudTrail 并将其直接无缝嵌入到您的 AWS 环境中。

In this post, I’ll walk you through the process of uncovering logs. Our goal is to offer deeper insights into AWS event logs, empowering you with the knowledge to fortify the security of your infrastructure and safeguard your data.
在这篇文章中,我将引导您完成发现日志的过程。我们的目标是提供对 AWS 事件日志的更深入见解,为您提供增强基础设施安全性和保护数据的知识。

What is CloudTrail?  什么是 CloudTrail? 

CloudTrail is an Amazon service that logs all your AWS account’s activities which includes events that happened in the AWS management web console, Command Line Interfaces (CLI), Application Programming Interface (API), and Software Development Kit (SDK).
CloudTrail 是一项 Amazon 服务,用于记录您的 AWS 账户的所有活动,其中包括在 AWS 管理 Web 控制台、命令行界面 (CLI)、应用程序编程接口 (API) 和软件开发工具包 (SDK) 中发生的事件。

It keeps track of everything that happens so that organizations can monitor and investigate activities, trace changes, and create a full audit trail, which is essential for maintaining a secure and well-governed AWS environment while protecting sensitive data from potential intrusions. 
它跟踪发生的一切,以便组织可以监控和调查活动、跟踪更改并创建完整的审计跟踪,这对于维护安全且治理良好的 AWS 环境同时保护敏感数据免受潜在入侵至关重要。

Put your cloud defensive skills to the test with our Sherlocks Labs:
通过我们的 Sherlocks Labs 测试您的云防御技能:

Nubilum 1 努比鲁姆 1 Nubilum 2 努比鲁姆 2
Securing the cloud: Expert tips for analyzing AWS CloudTrail logs

Scenario: Our cloud administration team recently received a warning from Amazon that an EC2 instance deployed in our cloud environment is being utilized for malicious purposes. 
场景:我们的云管理团队最近收到来自 Amazon 的警告,称在我们的云环境中部署的 EC2 实例正被用于恶意目的。

Securing the cloud: Expert tips for analyzing AWS CloudTrail logs

Scenario: A user reported an urgent issue to the helpdesk: an inability to access files within a designated S3 directory. This disruption has not only impeded critical operations but has also raised immediate security concerns. The urgency of this situation demands a security-focused approach.
场景:用户向支持人员报告了一个紧急问题:无法访问指定 S3 目录中的文件。这种中断不仅阻碍了关键行动,而且还引发了迫在眉睫的安全问题。这种局势的紧迫性要求采取以安全为重点的办法。

How to access the AWS CloudTrail?
如何访问 AWS CloudTrail?
 

CloudTrail can be accessed through the AWS management console, AWS CLI, AWS SDKs, or programmatically via the Cloudtrail API. The AWS Management Console offers a straightforward way to search, filter, and visualize CloudTrail log data.
CloudTrail 可以通过 AWS 管理控制台、AWS CLI、AWS 开发工具包或通过 Cloudtrail API 以编程方式访问。AWS 管理控制台提供了一种搜索、筛选和可视化 CloudTrail 日志数据的简单方法。

To begin accessing CloudTrail AWS via Management Console, sign in to your AWS account > Services > Management & Governance > CloudTrail. Alternatively, you can search for “CloudTrail” in the console’s search bar, and click on the CloudTrail service.
要开始通过管理控制台访问 CloudTrail AWS,请在 CloudTrail > Services > Management & Governance >登录您的 AWS 账户。或者,您可以在控制台的搜索栏中搜索“CloudTrail”,然后单击 CloudTrail 服务。

Securing the cloud: Expert tips for analyzing AWS CloudTrail logs

Upon entering the CloudTrail dashboard, you’ll find a comprehensive overview, including the current Trails, Insights, and Event History.
进入 CloudTrail 控制面板后,您将找到一个全面的概述,包括当前的跟踪、见解和事件历史记录。

Is CloudTrail enabled by default?
默认情况下是否启用 CloudTrail?
 

Yes, CloudTrail is enabled by default, and you can view the events using Event history. However, it’s important to note that CloudTrail does not log events in real time; it generates log files approximately every 5 minutes.
是的,CloudTrail 默认处于启用状态,您可以使用事件历史记录查看事件。但是,请务必注意,CloudTrail 不会实时记录事件;它大约每 5 分钟生成一次日志文件。

Additionally, be mindful that the Event history retains only the most recent 90 days of management events. This implies that older events beyond this timeframe may not be accessible through CloudTrail and will be lost.
此外,请注意,事件历史记录仅保留最近 90 天的管理事件。这意味着超出此时间范围的旧事件可能无法通过 CloudTrail 访问,并且将丢失。

It’s also noteworthy that although CloudTrail is active by default, the default settings do not include data and insight events. To capture these additional details, you must explicitly enable these events.
同样值得注意的是,尽管 CloudTrail 默认处于活动状态,但默认设置不包括数据和见解事件。若要捕获这些其他详细信息,必须显式启用这些事件。

For a clearer understanding of the difference between these three events, refer to the table below:
要更清楚地了解这三个事件之间的区别,请参阅下表:

Event type 事件类型

Management 管理

Data 数据

Insight 洞察力

Definition 定义

Management events in AWS CloudTrail capture activities related to the management of AWS resources. These events focus on actions that modify or control AWS services, such as creating EC2 instances or S3 buckets, updating security groups, or modifying IAM roles.
AWS CloudTrail 中的管理事件捕获与 AWS 资源管理相关的活动。这些事件侧重于修改或控制 AWS 服务的操作,例如创建 EC2 实例或 S3 存储桶、更新安全组或修改 IAM 角色。

Data events provide a detailed record of API actions, particularly those involving S3 objects. These events offer valuable information about the users who interacted with the data, the type of interaction (such as reading or writing), and the exact time of the interaction. To ensure thorough monitoring and auditing of S3 object-level activities, enabling data events is essential.
数据事件提供 API 操作的详细记录,尤其是涉及 S3 对象的操作。这些事件提供有关与数据交互的用户、交互类型(如读取或写入)以及交互的确切时间的宝贵信息。为确保对 S3 对象级活动进行全面监控和审计,启用数据事件至关重要。

Insight events in AWS CloudTrail provide enhanced visibility into AWS resource configurations, access patterns, and potential security risks. These events are designed to simplify the analysis of CloudTrail logs by automatically identifying and summarizing important events and patterns.
AWS CloudTrail 中的 Insight 事件增强了对 AWS 资源配置、访问模式和潜在安全风险的可见性。这些事件旨在通过自动识别和汇总重要事件和模式来简化 CloudTrail 日志的分析。

Event examples 事件示例

RunInstances: An EC2 instance is launched.
RunInstances:启动 EC2 实例。

GetObject: A user retrieves an object from an S3 bucket.
GetObject:用户从 S3 存储桶中检索对象。

“eventType”: “AwsCloudTrailInsight”,
“eventType”: “AwsCloudTrailInsight”,

“insightDetails”: { “insightDetails”:{

“state”: “Start”, “state”: “开始”,

“eventSource”: “signin.amazonaws.com”,
“eventSource”: “signin.amazonaws.com”,

“eventName”: “ConsoleLogin”,
“eventName”: “控制台登录”,

“insightType”: “ApiCallRateInsight”,
“insightType”: “ApiCallRateInsight”,

“insightContext”: { “insightContext”:{

“statistics”: { “统计”:{

“baseline”: { “基线”:{

“average”: 0.0025390258 “平均”: 0.0025390258

},

“insight”: { “洞察”:{

“average”: 6.4 “平均”: 6.4

},

“insightDuration”: 5, “insightDuration”:5,

“baselineDuration”: 10634
“基线持续时间”:10634

},


An event is triggered when there is a notable deviation from the average baseline.
当与平均基线有明显偏差时,将触发事件。

TerminateInstances: An EC2 instance is terminated.
TerminateInstances:EC2 实例已终止。

PutObject: A new object is uploaded to an S3 bucket.
PutObject:将新对象上传到 S3 存储桶。

PutBucketPolicy: A new policy is applied to an S3 bucket.
PutBucketPolicy:将新策略应用于 S3 存储桶。

DeleteObject: An S3 object is deleted.

Moreover, keep in mind that CloudTrail records events in the specific AWS Region where the event occurred. If a particular event is not found in the logs, try switching to another AWS Region where the event might have transpired.

To view the Event History, select Event history from the navigation pane to view the events in the currently selected region.

Securing the cloud: Expert tips for analyzing AWS CloudTrail logs

CloudTrail log structure 
CloudTrail 日志结构
 

Securing the cloud: Expert tips for analyzing AWS CloudTrail logs

CloudTrail logs have a JSON format that includes detailed information about API calls made on the AWS account. When looking at a CloudTrail log, keep an eye on the following interesting fields:

Field

Description

Importance

eventTime

Timestamp of the event when the request was completed, formatted in UTC.

For establishing a timeline of events.

userIdentity

The IAM user, role, or AWS service who is submitting the request.

Information about the IAM user or AWS entity issuing the request is vital for accountability and to determine proper authorization.

eventSource

The AWS service that the request was made to.

Identifying the specific AWS service involved gives context and enables targeted analysis and comprehension of the operation’s nature.

eventName 事件名称

The API call or action that was requested.
请求的 API 调用或操作。

The exact action that is being requested can give a clue about the kind of operation being performed, which can help to better understand the objective of the action.
请求的确切操作可以提供有关正在执行的操作类型的线索,这有助于更好地了解操作的目标。

sourceIPAddress

Indicates the IP address from which the API call originated.
指示发起 API 调用的 IP 地址。

The IP address of the requester is critical for tracking the source of the request, and identifying potential unauthorized access.
请求者的 IP 地址对于跟踪请求的来源和识别潜在的未经授权的访问至关重要。

userAgent 用户代理

The initiating software or tool for the request, which could be an AWS Service, AWS Management Console, AWS SDK, or AWS CLI.
请求的启动软件或工具,可以是 AWS 服务、AWS 管理控制台、AWS 开发工具包或 AWS CLI。

The user agent information shows the software or tool used, contributing to the understanding of how communication with AWS services occurred.
用户代理信息显示所使用的软件或工具,有助于了解与 AWS 服务之间的通信是如何发生的。

requestParameters request参数

This field contains detailed information about the parameters used in the request.
此字段包含有关请求中使用的参数的详细信息。

This allows responders to examine the specific parameters associated with the API call, enabling the identification of values or resources involved.
这允许响应者检查与 API 调用关联的特定参数,从而能够识别所涉及的值或资源。

responseElements

The AWS service’s response to the request provides insights into the results and relevant details.
AWS 服务对请求的响应提供了对结果和相关详细信息的见解。

Captures the output of the request when the operation is successful; otherwise, it will return an errorCode in case of an issue.
在操作成功时捕获请求的输出;否则,它将在出现问题时返回 errorCode。

errorCode

Specific AWS service errors encountered during the event.
活动期间遇到的特定 AWS 服务错误。

It highlights the issues encountered and provides us with a quick idea of what the issue is about.
它突出显示了遇到的问题,并让我们快速了解问题的内容。

errorMessage

Description of the errorCode, adding context and detailing the kind of error that was encountered.

Complements the errorCode by giving deeper information about the issue, helping administrators or responders to conduct a more effective investigation.

Understanding the log structure is crucial for effective analysis and interpretation of CloudTrail data during forensic investigations. Let’s take a look at our example below:

{
    "eventVersion": "1.08",
    "userIdentity": {
        "type": "IAMUser",
        "principalId": "AIDA52GPOBQCAXKB4JMJ7",
        "arn": "arn:aws:iam::012345678910:user/charlie.brown",
        "accountId": "012345678910",
        "userName": "charlie.brown"
    },
    "eventTime": "2023-04-11T02:57:19Z",
    "eventSource": "signin.amazonaws.com",
    "eventName": "ConsoleLogin",
    "awsRegion": "ap-southeast-2",
    "sourceIPAddress": "11.22.33.44",
    "userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Edg/119.0.0.0",
    "requestParameters": null,
    "responseElements": {
        "ConsoleLogin": "Success"
    },
    "additionalEventData": {
        "LoginTo": "https://console.aws.amazon.com/console/home?hashArgs=%23&isauthcode=true&state=hashArgsFromTB_ap-southeast-2_c02abb26e8a93195",
        "MobileVersion": "No",
        "MFAUsed": "No"
    },
    "eventID": "a2d8a421-7035-4ab2-81be-36db912717be",
    "readOnly": false,
    "eventType": "AwsConsoleSignIn",
    "managementEvent": true,
    "recipientAccountId": "012345678910",
    "eventCategory": "Management",
    "tlsDetails": {
        "tlsVersion": "TLSv1.3",
        "cipherSuite": "TLS_AES_128_GCM_SHA256",
        "clientProvidedHostHeader": "ap-southeast-2.signin.aws.amazon.com"
    }
}

Based on the log above, we can determine that the user with the account “charlie.brown” successfully logged in on April 11th, 2023, at approximately 02:57:19 UTC. The login occurred using the AWS Management Console using a web browser, with the IP address 11.22.33.44.

The example illustrates the practical value of familiarizing ourselves with CloudTrail events, as it allows us to efficiently detect and respond to any unusual activities and manage potential security incidents.

How to keep events beyond 90 days? 

Creating an AWS Trail is our solution for retaining or having a copy of logs that are past the default 90-day retention period, as it will send the events to an S3 bucket. Trails play an important role in extending your log retention strategy, facilitating troubleshooting, and enabling you to maintain a record of occurrences for compliance, audit, and historical analysis.

To create a Trail, follow these steps:

  1. Select “Trails” in the left pane and click the “Create Trail” button.

  2. Give your Trail a name and either create a new S3 bucket or select an existing one. It’s recommended to encrypt your logs using a Key Management Service (KMS) since the data being transferred is sensitive. Additionally, you can configure CloudWatch logs to monitor your Trail and notify you in case of specified activities.

  3. Select the event types you want to log—whether it’s management, data, or insights. You can refer back to the table above to review the differences between the three.

For more details on setting up a Trail, you can find comprehensive information on AWS’ official page.

CloudTrail log analysis examples 

Now, let’s jump in and have some fun digging into these sample logs!

1. Unapproved EC2 instance deployment 

Scenario:

An organization utilizing Amazon Web Services (AWS) experienced an unexpected and unauthorized EC2 instance launch outside of normal business hours. The CloudTrail logs revealed this security incident, prompting an immediate investigation.

{
    "eventVersion": "1.08",
    "userIdentity": {
        "type": "IAMUser",
        "principalId": "AIDABC123ABC123ABC123",
        "arn": "arn:aws:iam::012345678910:user/testaccount",
        "accountId": "012345678910",
        "accessKeyId": "AKIABC123ABC123ABC123",
        "userName": "testaccount",
        "sessionContext": {
            "sessionIssuer": {},
            "webIdFederationData": {},
            "attributes": {
                "creationDate": "2023-05-24T18:49:01Z",
                "mfaAuthenticated": "false"
            }
        }
    },
    "eventTime": "2023-05-24T18:51:25Z",
    "eventSource": "ec2.amazonaws.com",
    "eventName": "RunInstances",
    "awsRegion": "eu-north-1",
    "sourceIPAddress": "98.76.54.32",
    "userAgent": "AWS Internal",
    "requestParameters": {
        "instancesSet": {
            "items": [
                {
                    "imageId": "ami-0fc5d935ebf8bc3bc",
                    "minCount": 1,
                    "maxCount": 1,
                    "keyName": "keyPair1"
                }
            ]
        },
        "instanceType": "c7a.48xlarge",
        "blockDeviceMapping": {
            "items": [
                {
                    "deviceName": "/dev/sda1",
                    "ebs": {
                        "snapshotId": "snap-0fe62e94bc2ecc9d5",
                        "volumeSize": 8192,
                        "deleteOnTermination": true,
                        "volumeType": "gp3",
                        "iops": 3000,
                        "encrypted": false,
                        "throughput": 125
                    }
                }
            ]
        },
        "monitoring": {
            "enabled": false
        },
        "disableApiTermination": false,
        "disableApiStop": false,
        "clientToken": "5aeb67db-63c0-4768-a109-7e61b3b05966",
        "networkInterfaceSet": {
            "items": [
                {
                    "deviceIndex": 0,
                    "subnetId": "subnet-06b4b5bc0a0ecca33",
                    "associatePublicIpAddress": true,
                    "groupSet": {
                        "items": [
                            {
                                "groupId": "sg-082eb78cec3a15c91"
                            }
                        ]
                    }
                }
            ]
        },
        "ebsOptimized": true,
        "tagSpecificationSet": {
            "items": [
                {
                    "resourceType": "instance",
                    "tags": [
                        {
                            "key": "Name",
                            "value": "prod-server"
                        }
                    ]
                }
            ]
        },
        "metadataOptions": {
            "httpTokens": "required",
            "httpPutResponseHopLimit": 2,
            "httpEndpoint": "enabled"
        },
        "privateDnsNameOptions": {
            "hostnameType": "ip-name",
            "enableResourceNameDnsARecord": false,
            "enableResourceNameDnsAAAARecord": false
        }
    },
    "responseElements": {
        "requestId": "2d42f697-341f-4741-8a51-e528e4a1aef9",
        "reservationId": "r-079e466e68869914a",
        "ownerId": "012345678910",
        "groupSet": {},
        "instancesSet": {
            "items": [
                {
                    "instanceId": "i-0705171eb7239568e",
                    "imageId": "ami-0fc5d935ebf8bc3bc",
                    "currentInstanceBootMode": "legacy-bios",
                    "instanceState": {
                        "code": 0,
                        "name": "pending"
                    },
                    "privateDnsName": "ip-192-168-0-9.ec2.internal",
                    "keyName": "keyPair1",
                    "amiLaunchIndex": 0,
                    "productCodes": {},
                    "instanceType": "c7a.48xlarge",
                    "launchTime": 1701240684000,
                    "placement": {
                        "availabilityZone": "eu-north-1a",
                        "tenancy": "default"
                    },
                    "monitoring": {
                        "state": "disabled"
                    },
                    "subnetId": "subnet-06b4b5bc0a0ecca33",
                    "vpcId": "vpc-0f97b19654604cc18",
                    "privateIpAddress": "192.168.0.9",
                    "stateReason": {
                        "code": "pending",
                        "message": "pending"
                    },
                    "architecture": "x86_64",
                    "rootDeviceType": "ebs",
                    "rootDeviceName": "/dev/sda1",
                    "blockDeviceMapping": {},
                    "virtualizationType": "hvm",
                    "hypervisor": "xen",
                    "tagSet": {
                        "items": [
                            {
                                "key": "Name",
                                "value": "prod-server"
                            }
                        ]
                    },
                    "clientToken": "5aeb67db-63c0-4768-a109-7e61b3b05966",
                    "groupSet": {
                        "items": [
                            {
                                "groupId": "sg-082eb78cec3a15c91",
                                "groupName": "default"
                            }
                        ]
                    },
                    "sourceDestCheck": true,
                    "networkInterfaceSet": {
                        "items": [
                            {
                                "networkInterfaceId": "eni-083413ea4cfd59843",
                                "subnetId": "subnet-06b4b5bc0a0ecca33",
                                "vpcId": "vpc-0f97b19654604cc18",
                                "ownerId": "012345678910",
                                "status": "in-use",
                                "macAddress": "0e:d8:ce:d9:3b:25",
                                "privateIpAddress": "192.168.0.9",
                                "privateDnsName": "ip-192-168-0-9.ec2.internal",
                                "sourceDestCheck": true,
                                "interfaceType": "interface",
                                "groupSet": {
                                    "items": [
                                        {
                                            "groupId": "sg-082eb78cec3a15c91",
                                            "groupName": "default"
                                        }
                                    ]
                                },
                                "attachment": {
                                    "attachmentId": "eni-attach-099a4e91bc22870db",
                                    "deviceIndex": 0,
                                    "networkCardIndex": 0,
                                    "status": "attaching",
                                    "attachTime": 1684911084000,
                                    "deleteOnTermination": true
                                },
                                "privateIpAddressesSet": {
                                    "item": [
                                        {
                                            "privateIpAddress": "192.168.0.9",
                                            "privateDnsName": "ip-192-168-0-9.ec2.internal",
                                            "primary": true
                                        }
                                    ]
                                },
                                "ipv6AddressesSet": {},
                                "tagSet": {}
                            }
                        ]
                    },
                    "ebsOptimized": true,
                    "enaSupport": true,
                    "cpuOptions": {
                        "coreCount": 1,
                        "threadsPerCore": 2
                    },
                    "capacityReservationSpecification": {
                        "capacityReservationPreference": "open"
                    },
                    "enclaveOptions": {
                        "enabled": false
                    },
                    "metadataOptions": {
                        "state": "pending",
                        "httpTokens": "required",
                        "httpPutResponseHopLimit": 2,
                        "httpEndpoint": "enabled",
                        "httpProtocolIpv4": "enabled",
                        "httpProtocolIpv6": "disabled",
                        "instanceMetadataTags": "disabled"
                    },
                    "maintenanceOptions": {
                        "autoRecovery": "default"
                    },
                    "privateDnsNameOptions": {
                        "hostnameType": "ip-name",
                        "enableResourceNameDnsARecord": false,
                        "enableResourceNameDnsAAAARecord": false
                    }
                }
            ]
        }
    },
    "requestID": "2d42f697-341f-4741-8a51-e528e4a1aef9",
    "eventID": "5a4fa254-3644-4407-a0d4-060a60a7422d",
    "readOnly": false,
    "eventType": "AwsApiCall",
    "managementEvent": true,
    "recipientAccountId": "012345678910",
    "eventCategory": "Management",
    "sessionCredentialFromConsole": "true"
}

Questions: 问题:

  1. Which security group was associated with the newly launched EC2 instance?
    哪个安全组与新启动的 EC2 实例相关联?

  2. What kind of server was created?
    创建了什么样的服务器?

Analysis: 分析:

To find out which security group is linked to the recently launched EC2 instance, we should check the “responseElements” section. This part contains details about the created instance, including the group’s ID and Name. By examining these details, you can pinpoint the specific security group associated with the instance.
要找出哪个安全组链接到最近启动的 EC2 实例,我们应该检查“responseElements”部分。这部分包含有关已创建实例的详细信息,包括组的 ID 和 Name。通过检查这些详细信息,您可以查明与实例关联的特定安全组。

For the second question regarding the type of server created, inspect the “requestParameters” field in the CloudTrail log, which contains details about the requested resources. Let’s then pay attention to the “instanceType” value, indicating the type of EC2 instance launched. You can also check the “imageId” field to identify the Amazon Machine Image (AMI) used for creating the instance.
对于有关所创建服务器类型的第二个问题,请检查 CloudTrail 日志中的“requestParameters”字段,其中包含有关所请求资源的详细信息。然后,让我们关注 “instanceType” 值,该值指示启动的 EC2 实例的类型。您还可以选中“imageId”字段以标识用于创建实例的 Amazon 系统映像 (AMI)。

Answers: 答案:

  1. default 违约

  2. c7a.48xlarge C7A.48X大

2. Unauthorized bucket configuration changes
2. 未经授权的存储桶配置更改
 

Scenario: 场景:

An AWS account owner notices unexpected alterations to the configurations of an S3 bucket. The bucket, initially set to private access, has been modified to allow public access. This unauthorized change raises concerns about data security and compliance.
AWS 账户拥有者注意到 S3 存储桶的配置发生了意外更改。最初设置为私有访问的存储桶已修改为允许公有访问。这种未经授权的更改引发了对数据安全性和合规性的担忧。

{
    "eventVersion": "1.09",
    "userIdentity": {
        "type": "IAMUser",
        "principalId": "AIDABC123ABC123ABC123",
        "arn": "arn:aws:iam::012345678910:user/I4mUser",
        "accountId": "012345678910",
        "accessKeyId": "AKIABC123ABC123ABC123",
        "userName": "I4mUser",
        "sessionContext": {
            "attributes": {
                "creationDate": "2023-01-02T06:49:01Z",
                "mfaAuthenticated": "false"
            }
        }
    },
    "eventTime": "2023-01-02T07:26:47Z",
    "eventSource": "s3.amazonaws.com",
    "eventName": "PutBucketPolicy",
    "awsRegion": "us-west-2",
    "sourceIPAddress": "34.12.56.78",
    "userAgent": "[S3Console/0.4, aws-internal/3 aws-sdk-java/1.12.488 Linux/5.10.198-165.748.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/25.372-b08 java/1.8.0_372 vendor/Oracle_Corporation cfg/retry-mode/standard]",
    "requestParameters": {
        "bucketPolicy": {
            "Version": "2012-10-17",
            "Statement": [
                {
                    "Sid": "PublicReadGetObject",
                    "Effect": "Allow",
                    "Principal": "*",
                    "Action": [
                        "s3:GetObject"
                    ],
                    "Resource": [
                        "arn:aws:s3:::secret-bucket/*"
                    ]
                }
            ]
        },
        "bucketName": "secret-bucket",
        "Host": "s3.amazonaws.com",
        "policy": ""
    },
    "responseElements": null,
    "additionalEventData": {
        "SignatureVersion": "SigV4",
        "CipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
        "bytesTransferredIn": 349,
        "AuthenticationMethod": "AuthHeader",
        "x-amz-id-2": "LosKyYHy7c23S31ShGCVVyUA2MUeaENMAHoRmv6IITHCSxG6gKnEQZO7mhKQKOqd8mfGCSiO0E0=",
        "bytesTransferredOut": 0
    },
    "requestID": "E53WA2ETV5MG3CV7",
    "eventID": "5b256c0b-cfb7-4a98-bfe9-c99acd84a5ad",
    "readOnly": false,
    "resources": [
        {
            "accountId": "012345678910",
            "type": "AWS::S3::Bucket",
            "ARN": "arn:aws:s3:::secret-bucket"
        }
    ],
    "eventType": "AwsApiCall",
    "managementEvent": true,
    "recipientAccountId": "012345678910",
    "vpcEndpointId": "vpce-f40dc59d",
    "eventCategory": "Management",
    "tlsDetails": {
        "tlsVersion": "TLSv1.2",
        "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
        "clientProvidedHostHeader": "s3.amazonaws.com"
    }
}

Questions: 问题:

  1. Identify the user account responsible for modifying the S3 bucket.
    确定负责修改 S3 存储桶的用户账户。

  2. Which S3 bucket was affected?
    哪个 S3 存储桶受到影响?

Analysis: 分析:

To discover who made the changes to the S3 bucket, examine the “userIdentity” section and focus on the “userName” field. This field contains the IAM account linked to the modification, which can help you pinpoint the individual or entity responsible for the changes made to the bucket.
要了解谁对 S3 存储桶进行了更改,请检查“userIdentity”部分并重点关注“userName”字段。此字段包含与修改关联的 IAM 账户,该账户可帮助您查明负责对存储桶所做的更改的个人或实体。

Following that, to determine the bucket impacted by the unauthorized modifications, we can take a look at the “resources” section in the CloudTrail log or the “requestParameters” section. There, we’ll find the “bucketName” that has been singled out for alteration.
之后,要确定受未经授权的修改影响的存储桶,我们可以查看 CloudTrail 日志中的“resources”部分或“requestParameters”部分。在那里,我们将找到被挑出来进行更改的“bucketName”。

Answers: 答案:

  1. I4mUser I4m用户

  2. secret-bucket 秘密桶

3. Unusual S3 object activity
3. 异常的 S3 对象活动
 

A cybersecurity incident unfolded within a corporate AWS environment involving an unusual S3 object download. The incident raised concerns about potential data exfiltration and prompted a swift response from the security team.
在企业 AWS 环境中发生的网络安全事件涉及异常的 S3 对象下载。该事件引发了对潜在数据泄露的担忧,并促使安全团队迅速做出反应。

An AWS CloudTrail log captured an unexpected S3 “GetObject” event within the corporate AWS environment. The incident, initiated by an IAM user, involved the retrieval of a specific S3 object from a designated bucket. While the event itself appeared legitimate, certain characteristics raised concerns, prompting a thorough investigation.
AWS CloudTrail 日志在企业 AWS 环境中捕获了意外的 S3“GetObject”事件。该事件由 IAM 用户发起,涉及从指定存储桶中检索特定 S3 对象。虽然事件本身似乎是合法的,但某些特征引起了人们的担忧,促使进行了彻底的调查。

{
  "eventVersion": "1.09",
  "userIdentity": {
    "type": "IAMUser",
    "principalId": "AIDABC123ABC123ABC123",
    "arn": "arn:aws:iam::012345678910:user/hr-isabella.davis",
    "accountId": "012345678910",
    "accessKeyId": "AKIABC123ABC123ABC123",
    "userName": "hr-isabella.davis"
  },
  "eventTime": "2023-08-10T15:25:39Z",
  "eventSource": "s3.amazonaws.com",
  "eventName": "GetObject",
  "awsRegion": "us-east-1",
  "sourceIPAddress": "12.34.56.78",
  "userAgent": "[aws-cli/2.12.0 Python/3.11.4 Linux/5.11.0-27-generic source/x86_64.ubuntu.20.04 prompt/off command/s3.cp]"
  "requestParameters": {
    "bucketName": "private-data",
    "Host": "private-data.s3.us-east-1.amazonaws.com",
    "key": "documents/orgReport.pdf"
  },
  "responseElements": null,
  "additionalEventData": {
    "SignatureVersion": "SigV4",
    "CipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
    "bytesTransferredIn": 0,
    "AuthenticationMethod": "AuthHeader",
    "x-amz-id-2": "J7vZCNYUnuRNNIPDJLShdXiXIADgqE10y88gIChEkjekGK7ZogFgxM46H91GqGzuOWSWe/ivhzQ=",
    "bytesTransferredOut": 1500000
  },
  "requestID": "PMAW548SHGSN4MNV",
  "eventID": "77eaea22-8bb7-4aa2-bc92-82df8fd73873",
  "readOnly": true,
  "resources": [
    {
      "type": "AWS::S3::Object",
      "ARN": "arn:aws:s3:::private-data/documents/orgReport.pdf"
    },
    {
      "accountId": "012345678910",
      "type": "AWS::S3::Bucket",
      "ARN": "arn:aws:s3:::private-data"
    }
  ],
  "eventType": "AwsApiCall",
  "managementEvent": false,
  "recipientAccountId": "012345678910",
  "eventCategory": "Data",
  "tlsDetails": {
    "tlsVersion": "TLSv1.2",
    "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
    "clientProvidedHostHeader": "private-data.s3.us-east-1.amazonaws.com"
  }
}

Questions: 问题:

  1. What tool facilitated the file download?
    什么工具促进了文件下载?

  2. What is the volume of data transferred out of the S3 bucket?
    从 S3 存储桶传出的数据量是多少?

Analysis: 分析:

The key to figuring out which tool was used for the download lies in the “userAgent” field. This field provides important information about the client or application that initiated the file retrieval.
确定用于下载的工具的关键在于“userAgent”字段。此字段提供有关启动文件检索的客户端或应用程序的重要信息。

Turning to the second question about the data transfer, our focus should be on the “additionalEventData” section. This section contains significant details like the amount of data transferred in and out.
关于数据传输的第二个问题,我们的重点应该放在“additionalEventData”部分。本部分包含重要详细信息,例如传入和传出的数据量。

Answers: 答案:

  1. AWS CLI AWS 命令行界面

  2. 1500000

Proficiency unlocked: Navigating AWS CloudTrail logs
熟练度已解锁:导航 AWS CloudTrail 日志
 

Congratulations! You’ve successfully gained new skills in administering, comprehending, and analyzing AWS CloudTrail logs–a valuable skill set that’s pivotal for ensuring the security of your cloud infrastructure.
祝贺!您已经成功掌握了管理、理解和分析 AWS CloudTrail 日志的新技能,这是一项宝贵的技能,对于确保云基础设施的安全性至关重要。

As we’ve explored the complexities of log structures through our sample cases, you’re now equipped to reconstruct events, identify irregularities, and promptly address potential security threats. 
由于我们已经通过示例案例探索了日志结构的复杂性,因此您现在能够重建事件、识别违规行为并及时解决潜在的安全威胁。

Your commitment to enhancing your knowledge for a more secure cloud infrastructure is truly admirable and aligns perfectly with the essential skill set required for positions such as SOC and cybersecurity analysts.
您致力于增强您的知识以实现更安全的云基础设施,这确实令人钦佩,并且与 SOC 和网络安全分析师等职位所需的基本技能完全一致。

But, hold on tight because there’s an exciting next step!
但是,请紧紧抓住,因为下一步令人兴奋!

It’s time to level up!
是时候升级了!
 

Become a job-ready SOC analyst
成为就绪的 SOC 分析师

Securing the cloud: Expert tips for analyzing AWS CloudTrail logs

  • Learn core security monitoring and security analysis concepts. You’ll gain a deep understanding of tools, attack tactics, and methodologies used by cybercriminals.
    了解核心安全监控和安全分析概念。您将深入了解网络犯罪分子使用的工具、攻击策略和方法。

  • Practice with hands-on exercises. Put theory into practice with plenty of exercises to push your knowledge to its limits!
    通过动手练习进行练习。通过大量练习将理论付诸实践,将您的知识推向极限!

  • Leave with the right mindset. Becoming a SOC analyst is about the mindset, you’ll learn how to think like a hacker so you can defend against them.
    带着正确的心态离开。成为 SOC 分析师是关于心态的,您将学习如何像黑客一样思考,以便您可以防御它们。

Ready to supercharge your skills even further? Take the leap and sign up for HTB Labs to experience the thrill of learning with our virtual lab environments. It offers a realistic setting where you can apply your knowledge and skills. Whether you’re a beginner or a seasoned professional, a blue or a red teamer, our labs offer a dynamic space to elevate your skills.
准备好进一步提升您的技能了吗?快来注册 HTB Labs,体验在我们的虚拟实验室环境中学习的快感。它提供了一个逼真的环境,您可以在其中应用您的知识和技能。无论您是初学者还是经验丰富的专业人士,无论是蓝队还是红队队员,我们的实验室都能为您提供一个动态空间来提升您的技能。

It’s your golden ticket to unlocking a whole new level of expertise and embarking on an incredible learning adventure!
这是您解锁全新专业知识水平并开始令人难以置信的学习冒险的黄金门票!

原文始发于n4ch0:Securing the cloud: Expert tips for analyzing AWS CloudTrail logs

版权声明:admin 发表于 2024年2月22日 上午11:57。
转载请注明:Securing the cloud: Expert tips for analyzing AWS CloudTrail logs | CTF导航

相关文章