Bot of the Week: CLOUDS WITHOUT API AUDITING SERVICES
What it does: Identifies accounts with API auditing services such as AWS CloudTrail inactive/disabled across all regions
This bot inspects all configured cloud accounts for the presence of API Auditing services such as AWS CloudTrail across all regions. Having this enabled ensures that all cloud activity both within the native cloud console as well as via the programmatic API are captured for audit and tracking purposes.
Why do I care?
Within cloud accounts, enabling API audit services such CloudTrail will track all changes within the cloud, who made those changes and where those changes were made. This feature is useful when a server breaks down, or there is an accidental deletion or modification of a resource. It can also identify the IP address the modifications came from so that that user can be addressed directly.
These auditing services are often required for compliance with industry standards like HIPPA, PCI and other best practices. Without audit services enabled, it’s possible that malicious changes can be made and never detected. This can result in permanently deleted or changed files, unauthorized access to your account or the complete shutdown of servers. Services such as CloudTrail not only document changes from the cloud console, it also sees changes effected via API or third party tools, ensuring all activity is recorded and audited.
This simple Bot from DivvyCloud will ensure Cloudtrail or other audit services are enabled globally and immediately re-enable the service if it is ever shut off, preventing unaudited changes to your cloud infrastructure.
Malicious attackers will disable Cloudtrail
If a malicious users wants to compromise a cloud account they will immediately turn off Cloudtrail so the account owner has no way of knowing what’s going on inside the cloud. The Hacker can infiltrate data, delete resources and shut down servers, and it would be nearly impossible to go back and figure out who made the attack, where they made the attack or what they attacked.
From a compliance perspective, having Cloudtrail enabled is a requirement when dealing with sensitive data. For organizations that store highly sensitive data such as government, medical or financial organizations, having Cloudtrail enabled is a must to remain compliant.
Prevent attacks from unauthorized parts of the globe
API Audit services are often enabled per region so it is easy to lose track of which regions has the service enabled and which do not. This Bot will enable and activate an API audit configuration in every region for all cloud accounts.
One of the most useful capabilities of API auditing is the ability to only allow modifying activity from IP addresses in specified geographic regions. If activity is detected outside of that geographic location, it can be stopped immediately. This will help identify and mitigate external threats and potential intrusions to your cloud footprint.