If you're having trouble at any stage please contact us at firstname.lastname@example.org.
The goal of this guide is to add Amazon Web Service (AWS) Multi-Tenant connector to your SkyFormation Platform. This connector should be used if you are sending Cloudtrail audit events from multiple AWS accounts into a into a shared S3 bucket following the Amazon guide at:
CloudTrail Receive Logs From Multiple Accounts
If you are using a standard AWS account with a its own private audit logs please use the standard AWS connector instead as described at:
SkyFormation for AWS Cloud Connector Overview
AWS is a suite of cloud services platform, provides Infrastructure as a Service (IaaS) and Platform as a Service (PaaS) services. AWS helps organizations consume compute power and needed services, all without the need to buy or manage hardware.
But at the same time, the IaaS and SaaS public services presents the organization with new security challenges.
The main challenges and needs are to:
- Get and retain full audit of activities in AWS account
- Retrieve the AWS account activities as IAM users, EC2 changes and data flows, events from PaaS services and many more.
- The granular activities should be available at the organization’s central log or event management system for compliance, investigation or forensic needs.
- Detect security threats and policy violations
What is it
SkyFormation Cloud Connector for AWS Multi-Tenant connector is part of the SkyFormation Cloud Connectors module. It continuously ingests audit events from a central single CloudTrail in a AWS account, that retrieves the CloudTrail events from multiple different AWS accounts. The connector will then unify the events into a common application events format, enrich the events with needed detection context as the AWS account source indication, and send the events to any existing SIEM/SOC system.
How it works
SkyFormation Cloud Connector for AWS Multi-Tenant retrieves the events from the AWS service through its APIs. Before sending the events to the existing SIEM/SOC system the connector will
- Unify the events into the SkyFormation unified application events format
- Embed the origin event into the SkyFormation event
- Complement the event with missing information
- Enrich the event with detection context as AD identity information and the origin AWS account ID
- Encode the resulted event into a standard format as CEF
- Send the event to the existing SIEM/SOC system over syslog
AWS Multi-Tenant Audit Sources & Events Supported
|Audit Source (API)||Service/Module Covered||Event Types||Events included|
|CloudTrail||Console Sign-in||console login success/failed||A user in your account (root, IAM, federated, SAML, or SwitchRole) signed in to the AWS Management Console.|
|Additional Software & Services: AWS Marketplace|
|Analytics: , Amazon Athena, Amazon CloudSearch, Amazon EMR, AWS Data Pipeline, Amazon Kinesis Firehose, Amazon Kinesis Streams, Amazon QuickSight|
|Application Services: Amazon API Gateway, Amazon Elastic Transcoder, Amazon Elasticsearch Service, Amazon Simple Workflow Service, AWS Step Functions|
|Artificial Intelligence: Amazon Machine Learning, Amazon Polly|
|Business Productivity: Amazon WorkDocs|
|Compute: Amazon Elastic Compute Cloud (EC2), Application Auto Scaling, Auto Scaling, Amazon EC2 Container Registry, Amazon EC2 Container Service, AWS Elastic Beanstalk, Elastic Load Balancing, AWS Lambda|
|Database: Amazon DynamoDB, Amazon ElastiCache, Amazon Redshift, Amazon Relational Database Service|
|Desktop & App Streaming: Amazon WorkSpaces|
|Developers Tools: AWS CodeBuild, AWS CodeCommit, AWS CodeDeploy, AWS CodePipeline, AWS CodeStar|
|Game Development: Amazon GameLift|
|Internet Of Things (IOT): AWS IoT|
|Management Tools: AWS Application Discovery Service, AWS CloudFormation, AWS CloudTrail, Amazon CloudWatch Calls, AWS Config, AWS Managed Services, AWS OpsWorks, AWS OpsWorks for Chef Automate, AWS Organizations, AWS Service Catalog,|
|Messaging: Amazon Simple Email Service, Amazon Simple Notification Service, Amazon Simple Queue Service|
|Migration: AWS Database Migration Service, AWS Server Migration Service|
|Mobile Services: Amazon Cognito, AWS Device Farm|
|Networking & Content Delivery: Amazon CloudFront, AWS Direct Connect, Amazon Route 53, Amazon Virtual Private Cloud|
|Security, Identity & Compliance: AWS Identity and Access Management (IAM), AWS Key Management Service (KMS), AWS Security Token Service (STS), AWS Certificate Manager, Amazon Cloud Directory, AWS CloudHSM, AWS Directory Service, Amazon Inspector, AWS WAF|
|Storage: Amazon Simple Storage Service (S3), Amazon Elastic Block Store (EBS), Amazon Elastic File System (EFS), Amazon Glacier, AWS Storage Gateway|
|Support: AWS Personal Health Dashboard, AWS Support|
How to on-board AWS Multi-Tenant Connector to SkyFormation