Is Lacework planning to support the scanning of CloudTrail's S3 Data Event Logs, which include actions like PUT, GET, HEAD, etc.?
This capability would be instrumental in identifying potentially compromised accounts or detecting leaked access keys.
If this feature is in the roadmap, what is the anticipated timeline for its roll-out?
Reference: https://repost.aws/knowledge-center/cloudtrail-data-management-events
Agent
N/A
Platform
Using Lacework/Operationalizing
Cloud
AWS
Hi
That covers a large range of detections from multiple sources, including Cloudtrail and also Lacework’s anomaly detection and threat intel.
Would be good to understand if there is additional value in bringing in S3 data event log scanning and what scenarios of account compromise it can help us detect that we aren’t already. Would love your insights on this - please post here and/or send me a private message.
Hi
That covers a large range of detections from multiple sources, including Cloudtrail and also Lacework’s anomaly detection and threat intel.
Would be good to understand if there is additional value in bringing in S3 data event log scanning and what scenarios of account compromise it can help us detect that we aren’t already. Would love your insights on this - please post here and/or send me a private message.
S3 Data Event Logging would be helpful for a pretty simple use case. As there is object level logging within S3 Data Events, we could receive alerts when abnormal access behavior begins to occur within an S3 bucket. For example, this could help identify compromised internal users who are downloading, deleting or modifying information outside of their normal behavior. As an end user, this would provide more value and reduce the need for another tool to analyze S3 logs.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.