Security Notes By Cxnrvd
Day 7: AWS Log Analysis Walkthrough

Day 7: AWS Log Analysis Walkthrough

ConradWilliam's photo
ConradWilliam
·

4 min read

Day 7's challenge focuses on AWS log analysis, providing hands-on experience in identifying anomalous activities within cloud environments.

We dived into the investigation of AWS logs using CloudWatch, CloudTrail, and JQ—three powerful tools that are indispensable when working with cloud environments. These tools are especially useful for monitoring and auditing AWS resources, such as EC2 instances, Lambda functions, and S3 buckets, helping to uncover security breaches, unauthorized changes, or anomalies. Let’s break down how these tools can be leveraged in real-world investigations, such as the recent case of Care4Wares, a charity running its operations in the cloud.

AWS CloudWatch: Monitoring and Observability

CloudWatch is AWS's native monitoring solution that allows you to observe cloud resources and applications in real-time. For Care4Wares, which operates in AWS, CloudWatch logs provide valuable insights into EC2 performance, Lambda executions, and more. With CloudWatch Logs, we can track and filter log events to uncover performance issues or detect potential security incidents.

CloudWatch also helps with alerting: By setting up alarms, you can receive notifications about changes in application performance or unusual behavior. This could help detect issues early on, such as discrepancies in the charity’s donations.

AWS CloudTrail: Tracking Actions in AWS

Whereas CloudWatch is about performance, AWS CloudTrail is designed to track user actions and AWS service interactions. CloudTrail logs every action taken within your AWS environment, such as changes to EC2 instances, security groups, IAM roles, and more. These logs provide an audit trail that can be used for forensic investigations, allowing us to trace back suspicious actions to their origin.

For instance, if an attacker gains unauthorized access to an S3 bucket, CloudTrail can record every action the attacker takes—whether it’s a file modification, object deletion, or an S3 bucket listing. In the case of Care4Wares, this audit trail was critical to identify unauthorized actions.

CloudTrail Logs in CloudWatch

An important integration between CloudWatch and CloudTrail is the ability to stream CloudTrail logs to CloudWatch Logs. By doing so, you can consolidate all your logs in a single location, making it easier to monitor activities and spot suspicious actions across various AWS services. This helps correlate events and build a clearer picture of what's happening in your environment.

JQ: Transforming and Filtering JSON Data

Since CloudTrail logs are stored in JSON format, they can sometimes be overwhelming to process manually. This is where JQ comes into play. JQ is a command-line tool for parsing and filtering JSON data, making it easier to extract specific information. For instance, if you're looking for user activities, S3 bucket interactions, or IAM role modifications, JQ can filter and display only the relevant log entries, saving you time and effort.

Let’s get started.

Analyze the Logs

What is the other activity made by the user "glitch" aside from the ListObject action?

  • Answer: PutObject

AWS logs record user actions like ListObject and PutObject. These actions indicate listing and uploading objects in an S3 bucket, respectively. The PutObject activity suggests potential data exfiltration.

Identify IP Activity

  • Answer: 53.94.201.69

Logs revealed this IP associated with S3 bucket access. Such analysis is critical for tracing unauthorized activities to their origin.

AWS Console Login Event

Based on the eventSource field, what AWS service generates the ConsoleLogin event?

  • Answer: signin.amazonaws.com

AWS ConsoleLogin events are recorded by the signin.amazonaws.com service, essential for monitoring user access attempts.

Pinpoint the Event Time

Question 4: When did the anomalous user trigger the ConsoleLogin event?

  • Answer: 2024-11-28T15:21:54Z

Precise timestamps help correlate events and identify malicious activity within defined timeframes.

User Creation Analysis

What was the name of the user created by the mcskidy user?

  • Answer: glitch

Creating new users without proper authorization is a red flag. Monitoring user creation logs helps detect such anomalies.

Determine User Access Type

What type of access was assigned to the anomalous user?

  • Answer: AdministratorAccess

Granting AdministratorAccess to a user like "glitch" highlights the potential for privilege escalation.

IP Analysis

Which IP does Mayor Malware typically use to log into AWS?

  • Answer: 53.94.201.69

What is McSkidy's actual IP address?

  • Answer: 31.210.15.79

Comparing known IPs with those used in logs helps distinguish legitimate from malicious activity.

Financial Forensics

What is the bank account number owned by Mayor Malware?

  • Answer: 2394 6912 7723 1294

Financial details extracted from logs or related sources provide context to the attacker’s end goals.

Educational Takeaways

  • Log Analysis: Monitoring AWS logs is crucial for identifying unauthorized activities and ensuring cloud security.

  • IP Tracking: Understanding IP behavior helps pinpoint sources of anomalies.

  • User Privileges: Reviewing user access levels prevents privilege misuse.

AdventOfCyber2024