Collecting AWS IAM Identities and AWS CloudTrail Events
ALERT LEGACY ARTICLE: The content in this article is no longer updated and is available for reference purposes only. Features and workflows described may be deprecated, significantly changed, or no longer supported.
Environment
- Datto EDR
Description
The Datto EDR HUNT's Cloud Workload Security module can be extended to support the collection and inspection of AWS IAM Identities. This functionality is in addition to the existing AWS CloudTrail Events and is leveraged as an extension of the Datto EDR HUNT Cloud module for Inspecting AWS EC2 instances in a Security workload.
This capability allows Datto EDR to enumerate all AWS IAM Identities and stores them as an Identity object under the Cloud section within the Analyze page. Datto EDR further enriches this information by aligning relevant AWS Event information with the new object types.This additional enrichment lists events that were initiated by the IAM Identity, including the Type, Action, Event ID, Event Time and the full details from the audit log as a JSON metadata structure.
Requirements
- A User must have created and aligned AWS Credentials as defined in the AWS - Inspecting AWS EC2 Instances documentation
- A User must ensure that the AWS Credential being utilized has an IAM Policy associated with it that allows AWS Actions for LookupEvents and DescribeTrails (see example below)
- The User must then create an Integration with AWS using Infocyteâs Integration capability where an AWS Region and the AWS Credential to be used is specified.
Example Policy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"cloudtrail:LookupEvents",
"cloudtrail:DescribeTrails"
],
"Resource": "*"
}
]
}
