Tracking and Managing Privileged Access with AWS CloudTrail

In today’s complex cloud environments, managing and monitoring privileged access is crucial for maintaining security and compliance. AWS CloudTrail is an indispensable tool in this regard, as it provides a detailed history of AWS API calls made on your account. This blog post will guide you through the steps to effectively track and manage privileged access using AWS CloudTrail, particularly focusing on services like OpenSearch (formerly Elasticsearch) and Cognito, as well as specific IAM users or roles employed by Jenkins and GitHub for infrastructure deployment.

1. Configure CloudTrail

The first step in tracking and managing privileged access is ensuring that AWS CloudTrail is properly configured to log all relevant API activity within your AWS account.

Creating or Verifying Your CloudTrail Setup

1. Access the AWS Management Console: Start by logging into the AWS Management Console.

2. Navigate to CloudTrail: In the search bar, type “CloudTrail” and select it from the list of services.

3. Create a Trail:

   • If you don’t have an existing trail, click “Create trail” to set up a new one.

   • Provide a name for your trail and configure it to apply to all regions to capture events across your AWS infrastructure.

4. Specify Storage and Notifications:

   • S3 Bucket: Configure CloudTrail to log events to an S3 bucket. This is crucial for storing and archiving the logs for future analysis.

   • SNS Notifications (Optional): Set up SNS notifications if you want to receive alerts for specific activities.

   • CloudWatch Logs Integration (Optional): Configure CloudTrail to send logs to CloudWatch Logs for real-time monitoring and analysis.

5. Review and Save: Review your configuration and click “Create” to finalize the setup.

Enabling Detailed Logging

To ensure that you capture all necessary events, you need to enable detailed logging:

1. Management Events: These include operations like creating, modifying, or deleting AWS resources. Make sure your CloudTrail setup is configured to capture these management events.

2. Data Events: These encompass operations on data resources such as S3 object-level operations or DynamoDB table read/write actions. Enable data event logging to monitor these critical actions.

2. Monitor Privileged Access

Once CloudTrail is configured, the next step is to focus on monitoring privileged access, particularly for services like OpenSearch and Cognito, and for IAM users or roles used by Jenkins and GitHub.

a. OpenSearch and Cognito Logs

• OpenSearch (Elasticsearch) Logs:

  While CloudTrail does not log OpenSearch API calls directly, you can still monitor OpenSearch activity through alternative means:

  1. OpenSearch Service Logs: Enable logging within OpenSearch to capture API calls and access patterns. You can find these settings in the OpenSearch Service dashboard.

  2. AWS CloudWatch Logs Integration: Configure OpenSearch to send its logs to CloudWatch Logs. This setup integrates well with CloudTrail, allowing you to consolidate your logging and monitor OpenSearch activities more effectively.

• Amazon Cognito Logs:

  Cognito API calls are captured by CloudTrail. To monitor Cognito activities:

  1. Filter CloudTrail Logs: Use CloudTrail’s filtering capabilities to view logs related to Cognito operations. You can search for events associated with user pools, identity pools, and authentication activities.

3. Track IAM Users and Roles

For a more granular view of privileged access, especially concerning IAM users or roles used by tools like Jenkins and GitHub, follow these practices:

1. Identify IAM Users and Roles: Determine which IAM users and roles are employed by Jenkins and GitHub for infrastructure deployment. Note their IAM policies and permissions.

2. Review CloudTrail Logs: Filter CloudTrail logs to review activities associated with these IAM entities. Look for actions performed by Jenkins and GitHub roles, such as resource creation or modification events.

3. Set Up Alerts: Configure CloudWatch Alarms or SNS notifications to alert you about specific actions performed by these IAM users or roles. This helps in proactively identifying unauthorized or suspicious activities.

4. Regular Audits: Conduct regular audits of IAM policies and roles used by Jenkins and GitHub. Ensure that their permissions are aligned with the principle of least privilege to minimize potential security risks.