AWS CloudTrail cheat sheet

January 11, 2024

Follow us on LinkedIn | Twitter | GitHub|

Incident Response in AWS made easy (easier 😉)

As enthusiastic cloud incident responders we’ve had our fair share of AWS incidents. If you say incident response and AWS you say CloudTrail, it’s the most important source for your investigations. Therefore we’ve decided to develop a cheat sheet for ‘interesting’ CloudTrail events that we’ve come across during incidents. Use this information to perform faster triage and identify ‘interesting’ activity in CloudTrail logging.

Disclaimer: The AWS cheat sheet we’ve developed is an attempt to document CloudTrail events that are ‘interesting’ for incident responders or detection engineers. It is by no means a definitive guide to finding all malicious activity.

CloudTrail

CloudTrail records two types CloudTrail of events, from the official documentation:

  • Management events that capture control plane actions on resources, such as creating or deleting Amazon Simple Storage Service (S3) buckets.
  • Data events that capture data plane actions within a resource, such as reading or writing an Amazon S3 object.

The logged events are both calls made through the GUI and the API. An example CloudTrail event from the CloudTrail interface is shown below:

This event contains a lot more details if you open it, the format is .json.For the cheat sheet the Event name field is used to uniquely identify events.

Methodology

How did we create this magic sheet you might ask. It’s a combination of the following:

  • AWS Incident Response experience, based on real life incidents where we investigated incidents using CloudTrail [1][2][3][4];
  • Conducting several known attacks in a test environment using Stratus;
  • Using our collective brain power to think of scenarios and events that were missing from the previous two steps.

Tip: We love to hear from you! If you think we should add certain Event names please create an issue on the GitHub page for this cheat sheet.

Cheat Sheet

The cheat sheet consists of the different Mitre ATT&CK phases and the Event names of interest.

The file can be downloaded in various formats from our GitHub, and there’s also a GitHub gist(link) where you can easily copy the values you are interested in.

Future work

In a few weeks we will release our approach including tools, techniques to perform incident response in AWS environments. You’ll want to be there!

About Invictus Incident Response

We are an incident response company and we ❤️ the cloud and specialise in supporting organisations facing a cyber attack. We help our clients stay undefeated!

🆘 Incident Response support reach out to cert@invictus-ir.com or go to https://www.invictus-ir.com/247