As a part of Upwind’s runtime-powered threat detection capabilities, the Upwind Platform integrates seamlessly with AWS CloudTrail to provide real-time monitoring and detection of cloud logs. By leveraging AWS CloudTrail Logs generated at runtime, Upwind is able to provide deep runtime context and automatically alert you to suspicious or malicious log events.
What is CloudTrail?
AWS CloudTrail is a service that enables monitoring and logging of activities across your AWS infrastructure. CloudTrail logs provide detailed records of API calls and user activities, including the initiator (who made the call), involved services and resources, as well as the time and location of each activity. These logs are crucial for security auditing, compliance, and troubleshooting.
CloudTrail logs events from actions performed by users, roles, and AWS services. These events can include:
- Creating or deleting Amazon Simple Storage Service (S3) buckets
- Reading or writing an Amazon S3 object
- Actions made using VPC endpoints
- API calls that were denied access
In addition to capturing detailed event data, CloudTrail helps organizations maintain transparency by providing a history of AWS account activity. This is particularly useful for tracking changes made by various users, roles, and services within the AWS environment. CloudTrail supports multiple log formats, including Apache ORC, which is optimized for performance and query efficiency when analyzing large datasets.
How Upwind Leverages CloudTrail
Upwind’s CloudTrail integration uses CloudTrail logs to identify and analyze potential security threats, enhancing our comprehensive threat detection capabilities.
Using CloudTrail logs, Upwind monitors for suspicious activities that may indicate security incidents, such as unauthorized access attempts, data exfiltration, or policy violations.
Using CloudTrail Logs, Upwind provides numerous detections that center around unusual behaviors, focusing on:
- Unauthorized Access Attempts: CloudTrail logs can reveal attempts to access AWS resources from unauthorized users or unexpected locations.
- Suspicious API Activity: Analyze the “What” and “Where” of API calls (actions and resources) to identify specific API calls that are sensitive or indicative of malicious activities.
Upwind’s CloudTrail event analysis detects attempts or successful executions of specific actions, indicating the initiator and on which resource the action was performed. For example, you can easily identify actions like the following:
- S3 Bucket Made Public
- Security Group Modification
- Lambda Function Deletion
- Deactivation of MFA on an IAM User
By monitoring for all of these events at runtime, Upwind is able to alert you the second suspicious or malicious events occur.
How to Deploy the CloudTrail Integration
Deploying Upwind’s CloudTrail integration is straightforward, requiring only a provided CloudFormation or Terraform template. After deployment, the Upwind log reporter Lambda function automatically sends log events to the Upwind SaaS for analysis. Within minutes, you begin receiving new detections and enriched information.
Learn More
To learn more about Upwind’s use of AWS CloudTrail for real-time threat detections, visit the Upwind Documentation Center (login required), or schedule a demo.
