Build a Security Monitoring System (AWS)
Task 1.1 — Create Multi-Region CloudTrail and CloudWatch Logs
Open AWS Console and search for CloudTrail, after that click on it and create a Trail
After creating the CloudTrail, you need to configure CloudWatch Logs Group. Click on the Trail you just created to configure the settings below
You will to enable CloudWatch Logs integration and create new Log Group: Here I set my own as /aws/cloudtrail/securitytrail and create an IAM role automatically by selecting new.
Now you can see that we can configure the Multi region trail, we created a S3 bucket automatically, an IAM user was also created and we configure the Cloudwatch Log automatically. We can see that the Trail is now Logging.
Task 1.2 — Create the Honeytoken Secret
Open Secrets Manager
When selecting the Secret type: Other type of secret
Here you’ll see that I configure it as follows
· Key: username
· Value: admin
· Add another:
Key: password
Value: Password123!
For your encryption key, choose the aws/secretmanger. This is enough for keeping your secrets.
The secret name is set as Production_Database_Credentials
Our secret has been created successfully.
Task 1.3 — Create S3 Bucket and Enable Logging
Open S3
Click on Create bucket
Name your S3 bucket
Make sure you block all public access
After creating your bucket, click on the just created bucket to edit and click the Properties to enable Server Access Logging
Chooose the the created S3 buckets to enable Server access logging
The Server Acess loging is disable and you need to enable it
After enabling it, a notification will pop telling you that it is successful
PHASE 2 — Detection Flow 1 (CloudWatch Metric Filter)
Search for CloudWatch and click on it
Open CloudWatch → Log Groups and select the /aws/cloudtrail/securitytrail
Click on Log management and click on the Create Metric Filler
Enter this as your Filter pattern “{ ($.eventSource = "secretsmanager.amazonaws.com") && ($.eventName = "GetSecretValue") && ($.requestParameters.secretId = "Production_Database_Credentials") }”
Give your Filter a name
Name the metric and the namespace
Review and create your metric filter
Task 2.2 — Create Alarm
You need to create an Alarm on the metric you created earlier. Click on Create Alarm
Click on the Metric Filters that you created earlier to create your Alarm
The threshhold should be >= 1 and the period should be 1 minute
The threshhold should be >= 1 and the period should be 1 minute
Task 2.3 — Create SNS Email Alert
Create new topic and configure your SNS topic
You need to setup the email you need to receive the sns alert
You need to check your email to confirm your subscription
PHASE 3 — Detection Flow 2 (EventBridge)
Create a new rule in Amazon EventBridge
Choose your Triggering event and the Target. here our Triggering event is AWS API Call via CloudTrail and the Target is SNS Topic
Configure it and review
Since your rules has been created, check it through the AWS CLI
Click on AWS CLI and enter this “aws secretsmanager get-secret-value --secret-id Production_Database_Credentials’
You should have been sent an alert in your email. Go back to your email and check
PHASE 4 — KILL SWITCH (Auto Block User)
Create Victim User
IAM → Users → Create user:
Click on Attach Policies and attach the following policies “SecretsManagerReadWrite”
Select a service
Add a new policy and name it as DenyAllBoundary
Policy created successfully
Add a new Role and choose AWS service
Choose lambda
Name it as LambdaKillSwitchRole
Add the necessary permisions
These are thee permissions we added
Search for AWS Lambda
Use the existing LambdaKillSwitchRole you created earler
enter this in the editor
import boto3
iam = boto3.client('iam')
def lambda_handler(event, context):
user = event['detail']['userIdentity']['userName']
iam.put_user_permissions_boundary(
UserName=user,
PermissionsBoundary='arn:aws:iam::aws:policy/AWSDenyAll'
)
So now we need to login as the IAM Users we created earlier called “Victim Users”
Then enter this and you will see that the access is denied
aws secretsmanager get-secret-value --secret-id Production_Database_Credentials
You should have receive an alert on your email abaout this
