Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Amazon AWS CloudTrail

 

The JSA DSM for Amazon AWS CloudTrail collects audit events from your Amazon AWS CloudTrail S3 bucket.

The following table lists the specifications for the Amazon AWS CloudTrail DSM:

Table 1: Amazon AWS CloudTrail DSM Specifications

Specification

Value

Manufacturer

Amazon

DSM

Amazon AWS CloudTrail

RPM name

DSM-AmazonAWSCloudTrail-

JSA_version-Build_number.noarch.rpm

Supported versions

N/A

Protocol

Amazon AWS S3 REST API

JSA recorded events

All version 1.0, 1.02, 1.03, and 1.04 events.

Automatically discovered?

No

Includes identity?

No

Includes custom properties?

No

More information

Amazon Cloud Trail documentation (http://docs.aws.amazon.com/awscloudtrail/latest/

userguide/whatisawscloudtrail.html)

To integrate Amazon AWS CloudTrail with JSA, complete the following steps:

  1. Create an Amazon AWS Identity and Access Management (IAM) user and then apply the AmazonS3ReadOnlyAccess policy.

  2. Install the most recent version of the following RPMs on your JSA Console.

    • Protocol Common

    • Amazon AWS REST API Protocol RPM

    • Amazon AWS CloudTrail DSM RPM

  3. Click the Admin tab.

  4. Click the Log Sources icon.

  5. From the navigation menu, click Add.

  6. Configure the Amazon AWS CloudTrail log source in JSA.

    Note

    A log source can retrieve data from only one region. Use a different log source for each region. Include the region folder name in the file path for the Directory Prefix value when you configure the log source.

    The following table describes the parameters that require specific values to collect audit events from Amazon AWS CloudTrail:

    Table 2: Amazon AWS CloudTrail Log Source Parameters

    Parameter

    Description

    Log Source Type

    Amazon AWS CloudTrail

    Protocol Configuration

    Amazon AWS S3 REST API

    Log Source Identifier

    Type a unique name for the log source.

    The Log Source Identifier can be any valid value and does not need to reference a specific server. The Log Source Identifier can be the same value as the Log Source Name. If you have more than one Amazon AWS CloudTrail log source that is configured, you might want to identify the first log source as awscloudtrail1, the second log source as awscloudtrail2, and the third log source as awscloudtrail3.

    Signature Version

    Select AWSSIGNATUREV2 or AWSSIGNATURE4.

    AWSSIGNATUREV2 does not support all Amazon AWS regions. If you are using a region that only supports AWSSIGNATUREV4, you must choose AWSSIGNATUREV4 in the list.

    Region Name (Signature V4 only)

    The region that is associated with the Amazon S3 bucket.

    Service Name (Signature V4 only)

    The name of the Amazon Web Service.

    Bucket Name

    The name of the AWS S3 bucket where the log files are stored.

    Endpoint URL

    https://s3.amazonaws.com

    Public Key

    The public access key that is required to access the AWS S3 bucket.

    Note: This parameter is called Access Key ID in Amazon AWS Cloudtrail.

    Access Key

    The private access key that is required to access the AWS S3 bucket.

    Note: This parameter is called Secret Access Key in Amazon AWS Cloudtrail.

    Directory Prefix

    The root directory location on the AWS S3 bucket from which the CloudTrail logs are retrieved, for example, AWSLogs/<AccountNumber>/CloudTrail/us-east-1/

    File Pattern

    .*?\.json\.gz

    Event Format

    Select AWS Cloud Trail JSON. The log source retrieves JSON formatted events.

    Use Proxy

    When a proxy is configured, all traffic for the log source travels through the proxy for JSA to access the Amazon AWS S3 buckets.

    Configure the Proxy Server, Proxy Port, Proxy Username, and Proxy Password fields. If the proxy does not require authentication, you can leave the Proxy Username and Proxy Password fields blank.

    Automatically Acquire Server Certificate(s)

    If you select Yes, JSA automatically downloads the server certificate and begins trusting the target server.

    Recurrence

    How often the Amazon AWS S3 REST API Protocol connects to the Amazon cloud API, checks for new files, and retrieves them if they exist. Every access to an AWS S3 bucket incurs a cost to the account that owns the bucket. Therefore, a smaller recurrence value increases the cost.

  7. After the required values are entered in the log source configuration, click Save.

The following table provides a sample event message for the Amazon AWS CloudTrail DSM:

Table 3: Amazon AWS CloudTrail Sample Message Supported by Amazon AWS CloudTrail.

Event name

Low-level category

Sample log message

Console Login

General Audit Event

{"eventVersion":"1.02",
"userIdentity":{"type":"IAMUser",
"principalId":"AIDAI56UNJ5SGCUDUOZEE",
"arn":"arn:aws:iam::005166929:user/xx.xxccountId":
"05166929","userName":"x.x"},"eventTime":
"2016-05-04T14:10:58Z","eventSource":
"f.amazonaws.com","eventName":
"ConsoleLogin","awsRegion":
"us-east-1","sourceIPAddress":
"1.1.1.1 Agent":"Mozilla/5.0
 (Windows NT 6.1; Win64; x64)
 AppleWebKit/537.36 (KHTML, like Gecko)
 Chrome/50.0.1.1 Safari/537.36",
"requestParameters":null,
"responseElements":
{"ConsoleLogin":"Success"},
"additionalEventData":
{"LoginTo":"www.webpage.com",
"MobileVersion":"No","MFAUsed":"No"},
"eventID":"e1866735-ea8b-4e66-be1a-8067dafe9898",
"eventType":"AwsConsoleSignIn",
"recipientAccountId":"237005166922"}