Recently I was pointed in the direction of AWS CloudTrail documentation and, specifically, something that I consider quite a gem for anyone who wants to get an early heads up about security events on their AWS account. Be it personal or corporate.
The gem in question is here:
As the name suggests - it actually contains a link to a CloudFormation template with pre-made list of alerts for when:
- S3 bucket policies, replication, lifecycle or ACL rules change
- Network events happen
- EC2 instances are started/stopped
- CloudTrail configuration changes
- Failed console sign-ins to your account
- Authorization failures for any API calls
- IAM policy changes
The template assumes you have a CloudTrail Event forwarding to CloudWatch Logs already set-up, and alerts are triggered by metrics generated using metric filters.
The default set of alerts is quite good and it can be tweaked and tuned for individual accounts, but the best part with this - I think - it is possible to have all this for free.
The first CloudTrail in AWS account is free for management events (even if it tracks all-regions). CloudWatch Logs free tier is 5GB which should be enough for a personal account running on a tight budget. Finally, there are 10 metrics and alarms in the template, which happens to be exactly the free tier of CloudWatch Metrics and Alarms.
Of course it is possible to tweak and tune for individual cases. Personally, I find CloudFormation templates in YAML format much easier to handle, hence I have translated the original to YAML. Download it here.
Too many times someone exposes credentials or gets their account hacked, only to find out about the breach when a thousand dollar bill rolls in at the end of the month. Fingers crossed attitude can only bring stress and anxiety. I think almost everyone wants to be calm about security and I think this neat gem from AWS CloudTrail docs is a perfect tool to contribute to that calmness.