Skip to content

SecOps.zCloudTrail.md

Latest commit

 

History

History
125 lines (104 loc) · 3.6 KB

SecOps.zCloudTrail.md

File metadata and controls

125 lines (104 loc) · 3.6 KB

AWS CloudTrail

AWS CLI / AWS CloudTrail

SecOps Configurations

Description Link
SecOps SecOps
SecOps Config / CloudTrail SecOps CloudTrail
SecOps Config / Guard Duty SecOps Guard Duty
SecOps Config / Load Balancers SecOps Load Balancer
SecOps Config / Security Hub SecOps Security Hub

Filter relevant commands list

aws cloudtrail help | egrep 'delete|describe|get|list'

ACCS='791232313887 534701031479'

M

Commands

aws cloudtrail describe-trails
aws cloudtrail list-channels

TRAIL='global_trail'
BUCKET='ge-aero-central-bit-bucket'
ALIAS=$( aws iam list-account-aliases | jq -r .AccountAliases[0] )
PREFIX="clourtrail/$ALIAS"
SNS='arn:aws:sns:us-east-1:404063023013:AwsCloudTrailCollector'
HOME_REGION='us-east-1'

aws cloudtrail update-trail \
    --name $TRAIL \
    --s3-bucket-name $BUCKET \
    --s3-key-prefix $PREFIX \
    --sns-topic-name \
    --include-global-service-events \
    --is-multi-region-trail \
    --region $HOME_REGION

CloudTrail Console Data

# Aero CloudTrail Global Trail
# Mgmt. Acc.
404063023013	av-ctr-llz              us-east-1   # CloudTrail Mgmt. Acc.

# Target Accs.
791232313887	av-ctr-ads-nonprod      us-east-1   aws.av-ctr-ads-nonprod@ge.com   # CloudTrail Target Acc.
534701031479	aviation-ctr-nonprod    us-east-1   aws.aviation-ctr-nonprod@ge.com # CloudTrail Target Acc.

# Prep - Create prefix folder in Global Bucket & update permission too as:
# ge-aero-central-bit-bucket/<ACCOUNT_ALIAS>/AWSLogs/*
# "arn:aws:s3:::ge-aero-central-bit-bucket/<ACCOUNT_ALIAS/AWSLogs/*"

Trail: global_trail
Bucket: ge-aero-central-bit-bucket 
Prefix: cloudtrail/{ACCOUNT_ALIAS}
NO KMS
SnsTopic - Existing: arn:aws:sns:us-east-1:404063023013:AwsCloudTrailCollector

Moving cloudtrail logs to new prefix

# move to cloudtrail/${ACCOUNT_ALIAS}
aws s3 mv s3://ge-aero-central-bit-bucket/av-ctr-llz s3://ge-aero-central-bit-bucket/cloudtrail/av-ctr-llz --recursive
aws s3 mv s3://ge-aero-central-bit-bucket/av-ctr-ads-nonprod s3://ge-aero-central-bit-bucket/cloudtrail/av-ctr-ads-nonprod --recursive
aws s3 mv s3://ge-aero-central-bit-bucket/aviation-ctr-nonprod s3://ge-aero-central-bit-bucket/cloudtrail/aviation-ctr-nonprod --recursive

GovCloud

{
  "http": {
    "defaultHealthyRetryPolicy": {
      "numRetries": 3,
      "numNoDelayRetries": null,
      "minDelayTarget": 20,
      "maxDelayTarget": 20,
      "numMinDelayRetries": null,
      "numMaxDelayRetries": null,
      "backoffFunction": "linear"
    },
    "disableSubscriptionOverrides": false,
    "defaultRequestPolicy": {
      "headerContentType": "text/plain; charset=UTF-8"
    }
  }
}
Source: (715477192348) [gov-public-cloud-security]
Bucket: ge-gov-cloudtrail-bucket
CloudTRail: arn:aws-us-gov:cloudtrail:us-gov-east-1:715477192348:trail/global_trail
SNS: arn:aws-us-gov:sns:us-gov-east-1:715477192348:AwsGovCloudTrailCollector
    - FIFO
    - Standard
    - Existing Service Role


TAGS:
    csadmin:	csadmin
    Builder:	Terraform
    contact:	cloudpod@ge.com
    Region:	Global
    Guardrails:	true
    preserve:	true
    env:	prod
    uai:	UAI3033130
    Name:	Global Trail

Target: (135950234967) [gov-av-ctr-llz]
ge-gov-aero-central-bit-bucket



New-Master: 
BUcket: ge-gov-aero-central-bit-bucket
CloudtrailPrefix: cloudtrail # /alias/*
SNS: arn:aws-us-gov:sns:us-gov-west-1:135950234967:AwsGovCloudTrailCollector