Skip to content

raajheshkannaa/aws-cloudtrail-lake-detections

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

11 Commits
src
src
 
 
stacks
stacks
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
app.py
app.py
 
 
cdk.json
cdk.json
 
 
requirements.txt
requirements.txt
 
 

Repository files navigation

CloudTrail Lake Threat Detections

Threat detections you can enable RIGHT NOW with the capability of AWS CloudTrail Lake.

All you need is to toggle couple switches in the Organization Account to enable CloudTrail Lake, which will collect cloudtrail logs from all accounts & regions and normalize those logs for us to query using sql. We will use lambda functions` to query the lake for threats and alert slack.

Previously to do this at scale meant, enabling CloudTrail in all accounts and regions, sending those logs to S3 or a data lake has to be configured with partitions setup accordingly and athena queries to be scheduled. There are multiple moving parts to this equation, however with the announcement of CloudTrail Lake, all of this is extremely straight forward.

Note: Detections forked from Panther Labs CloudTrail Rules - https://github.com/panther-labs/panther-analysis/tree/master/aws_cloudtrail_rules

Detections

- ami_modified_for_public_image
- resource_made_public
- snapshot_made_public
- key_compromised
- security_configuration_change
- codebuild_made_public

About

Detections which could be built over AWS CloudTrail Lake

Topics

slack aws automation detection cloudtrail cdk cloudtrail-lake

Resources

Readme

License

MIT license
Activity

Stars

1 star

Watchers

3 watching

Forks

1 fork
Report repository

Languages