Hello,
I would like to know if it is possible to track updates / deletion of a Registered Domain in Route 53 through Cloudtrail x Lacework.
As this ressource is critical, the alarm must be immediately raised.
Thank you for your assistance.
Lucas
Agent
Agentless (Workload Scanning)
Platform
Tuning Lacework/Customization
Cloud
AWS
Best answer by fredpillet
View original
Hi Lucas,
Update/Deletion of an AWS resource should be logged in Cloudtrail, so the LQL source is Cloudtrail:CloudTrailRawEvents.
Filter on the right elements in the Cloudtrail by looking at the description of the events with the CLI:
lacework query preview-source CloudTrailRawEvents.
Now, it looks to be that kind of action :
https://docs.aws.amazon.com/Route53/latest/APIReference/API_domains_DeleteDomain.html
then, test your query in CLI (with the right filters):
--noninteractive turn off interactive mode (disable spinners, prompts, etc.)
queryId: Example_DeleteDomain
queryText: |-
{
source {
CloudTrailRawEvents
}
filter {
EVENT_NAME =’DeleteDomain’
}
return distinct {
INSERT_ID,
INSERT_TIME,
EVENT_TIME,
EVENT
}
}
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.