Amazon CloudTrail contains logs from activities and audit events of an AWS account. Analyzing CloudTrail events can be essential to understanding unexpected changes, anomalies, and risks in the underlying computing infrastructure. Maybe EC2 instances were spawned with the wrong type or configuration, or the account have the maximum number of IPv4 adresses allocated, or someone is moving a production resource to another, less safe, security group?

CloudTrail logs are stored as files on S3. This plugin allows you to connect to Cloudtrail and use Unomaly to automatically analyze and profile these files as they are created.


Configure AWS

Create a new CloudTrail by entering the CloudTrail section of the AWS console and click “Add New Trail”, and be sure to expand the “Advanced” section.

Enter a name for the trail, and be sure to enable “Create a new SNS topic” and set a name for that as well.

Now go to the SQS part of the AWS console and click the “Create New Queue” button.

Enter a name and make sure to note which region this queue is created within.

Now select the created queue and select “Subscribe Queue to SNS Topic” in the menu.

Lastly, select the SNS topic that you created during the CloudTrail setup.

If you haven’t already done so, go to the IAM part of the AWS console and create a user.

Be sure to click the “Generate an access key for each user”, and take note of the “Access Key ID” and the “Secret Access Key” which you will need.

Configure the transport

  1. Download the .run-file
  2. Upload the file to /tmp/ on the Unomaly Server
    • We usually recommend WinSCP for uploading files from Windows to Unomaly.
    • For Linux users, regular scp in the terminal is excellent.
  3. Install prerequisites

    pip install boto3
  4. Execute the file

    sudo sh /tmp/
  5. Copy the default configuration file

    cp /DATA/unomaly_transports/cloudtrailtransport.cfg-default /DATA/unomaly_transports/cloudtrailtransport.cfg
  6. Open the configuration file to configure the transport

    Example configuration:

    aws_access_key_id = AKIAAAAAAAAAAAAAAAA
    aws_secret_access_key = XXXXXXXXXXXXXXXXXXXXX
    aws_sqs_region = eu-west-1
    aws_sqs_queue_name = logs
    aws_sqs_poll_time = 10
    hightlight_fields = responseElements
    include_raw_message = true

    Enter your API access key and secret. Next, enter the SQS endpoint information that you have configured CloudTrail to use (via SNS).

    Optionally highlight certain fields from the JSON response, and select whether to include the raw JSON message as well.

  7. Restart the transport manager.

  8. Run this command on the instance:

    unomaly restart transportd