Lacework Support of CloudTrail's S3 Data Event Log Scanning

  • 5 September 2023
  • 2 replies
  • 449 views

Is Lacework planning to support the scanning of CloudTrail's S3 Data Event Logs, which include actions like PUT, GET, HEAD, etc.?

This capability would be instrumental in identifying potentially compromised accounts or detecting leaked access keys.

If this feature is in the roadmap, what is the anticipated timeline for its roll-out?

 

Reference: https://repost.aws/knowledge-center/cloudtrail-data-management-events

Agent

N/A

Platform

Using Lacework/Operationalizing

Cloud

AWS


2 replies

Hi @JoeCloud , that’s a good question - we already have a specific Composite Alert that should cover that use-case: https://docs.lacework.net/console/restricted/potentially-compromised-AWS-keys
That covers a large range of detections from multiple sources, including Cloudtrail and also Lacework’s anomaly detection and threat intel.

Would be good to understand if there is additional value in bringing in S3 data event log scanning and what scenarios of account compromise it can help us detect that we aren’t already. Would love your insights on this - please post here and/or send me a private message.

Hi @JoeCloud , that’s a good question - we already have a specific Composite Alert that should cover that use-case: https://docs.lacework.net/console/restricted/potentially-compromised-AWS-keys
That covers a large range of detections from multiple sources, including Cloudtrail and also Lacework’s anomaly detection and threat intel.

Would be good to understand if there is additional value in bringing in S3 data event log scanning and what scenarios of account compromise it can help us detect that we aren’t already. Would love your insights on this - please post here and/or send me a private message.

S3 Data Event Logging would be helpful for a pretty simple use case. As there is object level logging within S3 Data Events, we could receive alerts when abnormal access behavior begins to occur within an S3 bucket. For example, this could help identify compromised internal users who are downloading, deleting or modifying information outside of their normal behavior. As an end user, this would provide more value and reduce the need for another tool to analyze S3 logs.

Reply