How to Detect Someone Erasing Cloudtrail Logs

Question

I'd like to monitor for anyone trying to erase logs from my CloudTrail's S3 Bucket.

I have tried deleting myself with my own IAM User one of the logs on this bucket but CloudTrail itself didn't seem to notice I have erased an object from it's bucket.

Is there a specific monitoring I have to activate to check if these logs are being erased by a possible attacker?

Also a plus: Is there any way Guard Duty detects this kind of actions in my environment?

Thanks in advance.

Answer 1

You can use CloudTrail log validation for this, which can be enabled in console or via AWS CLI:

To validate the integrity of CloudTrail log files, you can use the AWS CLI or create your own solution. The AWS CLI will validate files in the location where CloudTrail delivered them.

Answer 2

You can use CloudTrail log validation, but be aware it won't alert you automatically. It instead leaves a trail that you can validate the integrity on demand. See this link for some details on that.

If you are ingesting these logs into a log aggregator, like Splunk or Elk, then you can define alarms where the cloudtrail action deletes log files from the S3 bucket that contains your logs. If you don't have that, you might be able to use cloudwatch alarms to trigger off of events from CloudTrail, but be aware that it is a fairly blunt instrument and you may not get the granularity in the search you want.

I do not think GuardDuty would alarm on this type of action, but I could be wrong.

Answer 3

1. Enable cloudtrail for monitoring both Management and Data Events. When you enable monitoring for data events all S3 related data events will also be monitored by cloudtrail.

2. Enable log file integrity validation in cloudtrail. CloudTrail creates a hash for every log file that it delivers. Every hour, CloudTrail also creates and delivers a file that references the log files for the last hour and contains a hash of each. This file is called a digest file. CloudTrail signs each digest file using the private key of a public and private key pair. validating log file integrity.

3. Additionally, set up lambda functions for S3 delete events to trigger notifications through SNS if needed.

4. As a best practice, if you manage multiple AWS accounts, manage cloudtrail with AWS Organizations and log the cloudtrail in a dedicated AWS Account specific for logging with restricted access. Also, consider enabling cross region replication/versioning of S3 Bucket and Enable MFA delete to require multi-factor authentication (MFA) when deleting an object version.