Now that our CloudTrail logs are streamed into ElasticSearch, we can really search through CloudTrail logs. In addition, we can create a dashboard to highlight some of the important events occurring on the AWS account.
To illustrate this point, we will simulate login attempts. Log out and log in a few times to the AWS console. Try also to log in using a wrong password to generate login failures in the logs.
Wait a few minutes for the data to be generated and sent to ElasticSearch, then go through the following steps to create a new index pattern:
- Open Kibana in your browser and go to the management menu.
- Click on Index Patterns.
- Click on Add New.
- In the Index name or pattern, give the name logstash-cloudtrail-*.
- In the time-field name, select @timestamp.
- Finally, click create to complete the creation of the index pattern.
The next step will be to create the visualizations that will populate our dashboard:
- Click on Visualize to access the visualization menu.
- Click on Create a visualization.
- Click on Vertical bar chart.
- Click on logstash-cloudtrail-*.
- Under Select buckets type, click on X-Axis.
- In the aggregation menu, select Date histogram.
- Select the @timestamp for the Field value.
- Click on Add sub-bucket.
- Select Split Bars.
- Select Terms as our Sub Aggregation.
- Select the Field responseElements.ConsoleLogin.
- Click on the Apply change icon at the top. You should end up with a visualization looking as follows:
- Click on Save at the top and give it the name CloudTrail - login timeline.
Another useful bit of information is to group login failures by IP. For this, we will create a new visualization as given in the following steps:
- Click on Visualize to access the visualization menu.
- Click on Create a visualization.
- Click on Data Table.
- Click on logstash-cloudtrail-*.
- Click on split rows.
- Select Filters.
- Set the Filter1field to responseElements.ConsoleLogin.keyword:Failure.
- Click on Add sub-bucket.
- Select Split Rows.
- Select Term.
- Use SourceIPAddress.Keyword as your Field and as before, click on Apply. You should end up with a visualization as follows:
- You can now save the new visualization under the name Cloudtrail - login failures by IP.
You can continue this exercise and add a few more visualizations that are important to you. You can, for example, graph all deletion events, user activities (as shown in the following screenshot), and so on:
Once you have everything you need, go to the Dashboard menu and create a new dashboard:
- Go to the Dashboard menu in Kibana.
- Click on create dashboard.
- Click on Add in the top menu.
- Select all relevant visualizations.
- Click on Save and give your new dashboard a name such as CloudTrail:
Thanks to the work we just did, we can quickly analyze any API activity. This puts us in a very good spot to start making changes to the security of our infrastructure. The first and most important service we will look at is the IAM service.