LZ - Cloudtrail subscriptions

[stmag]

During review of SDG accounts and LZ config in general, i would like enforcement to be in place for lambda functions to log to the LZ-cloudtrail-logging group (via Data events). I would like this to be in place for all EC AWS accounts.

By missing this, it means that we would have no visibility on what actions a lambda function has taken, what identity has invoked it therefore would not be able to determine if a lambda role has been compromised or not.

[neisije]

According to

• https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cloudtrail-trail-eventselector.html
• https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cloudtrail-trail-dataresource.html

to enable the logging of all Lambda functions (all regions) in cloudtrail, we need to update the resource CloudTrailLogging in the cloudformation templates:

• SECLOG account : CFN/EC-lz-config-cloudtrail-logging.yml (I would not recommend to enable this in the SECLOG, that would be too expensive with the lambda log shippers running in the SECLOG)
• LINKED account : CFN/SECLZ-config-cloudtrail-SNS.yml

  CloudTrailLogging:
    Type: "AWS::CloudTrail::Trail"
    Properties:
      IncludeGlobalServiceEvents: true
      IsMultiRegionTrail: true
      TrailName: 'lz-cloudtrail-logging'
      S3BucketName: !Sub "cloudtrail-logs-${SecLogMasterAccountId}-do-not-delete"
      KMSKeyId: !Ref CloudtrailKMSarn
      IsLogging: true
      EnableLogFileValidation: true
      CloudWatchLogsLogGroupArn: !GetAtt TrailLogGroup.Arn
      CloudWatchLogsRoleArn: !GetAtt TrailLogGroupRole.Arn
      EventSelectors:
        - DataResources:
            - Type: AWS::Lambda::Function
              Values: 
                - arn:aws:lambda
          IncludeManagementEvents: true
          ReadWriteType: All

[stmag]

thanks @neisije - i was speaking to @laurentleonard about this, to determine its usefulness - is there anyway where by we can get this turned on for a couple of our AWS accounts? I don't want to start flooding downstream splunk and invoke large cost if the benefit of the data is not high

There is a ticket in CVTF for this [CVTF-2003]

[neisije]

What you can do is to enable this DataResource manually via the AWS console in some of your AWS accounts configured with the SLZ. The lambda events should be automatically forwarded to SPLUNK via cloudtrail.

If you need help for this, just ask I'll help you (or the person in your team having admin rights to do it)

[neisije]

As Laurent is out of office this afternoon, I did the update myself in the 2 AWS accounts referenced by [CVTF-2003]

I've updated manually the CFT in place into your 2 accounts and updated the stack "SECLZ-config-cloudtrail-SNS" Lambda events are now enabled in cloudtrail for these 2 accounts and should be forwarded via the SECLOG to splunk.

[neisije]

NB: I would not recommend to enable this option in the SECLOG, that would be too expensive with the lambda log shippers running in the SECLOG

[neisije]

Hello @austindimmer, any feedback on this based on the tests you did in your 2 accounts ? Is it worth to implement this ? What would be the cost impact ? Thanks for your feedback.