Bypassing CloudTrail and CloudWatch monitoring of AWS API

January 23, 2017 by Paulina BudzoƄ

Since AWS released CloudWatch Logs and allowed for automated streaming of CloudTrail events into CloudWatch, monitoring API usage with CloudWatch metrics and alerts has become increasingly popular. It’s incredibly easy to set up and add custom alerts on almost any API event. But is it actually going to notify you when an unauthorized person gains access?

cloudwatch-cloudtrail

Before CloudWatch was able to get and parse CloudTrail logs, if you wanted to monitor you API requests, you had to create an AWS Lambda function which would do it for you. CloudTrail would put a file in S3, that would trigger your Lambda, which would analyze the file and did whatever you wanted when it found something of interest (send a message to SNS, perhaps?).

With streaming CloudWatch Logs, you can get similar functionality without writing a single line of code, simply by following a step-by-step guide in the Console. There’s even a CloudFormation stack which will create a set of alarms for most common events that may be of interest - like change in security groups, large instance being launched, etc.

But, is CloudTrail with CloudWatch an effective security tool on its own? The biggest limitation of CloudTrail is that it’s not real-time. This can be understood, as having every API call logged immediately to multiple streams would be back-breaking. So the calls are gathered, typically within 15 minutes of the call and sent to an S3 bucket in intervals of 5 minutes. The files are parsed into CloudWatch, metrics are calculated and alarms can be triggered within 5 minutes. All that can add up to 25 minutes between the API call being made and the notification being sent. Is it possible that during this delay, an unauthorized person who gained access to your account may be able to disable the alarm or alter the notification?

That’s a combined CloudTrail and CloudWatch limitation. But it’s not the only asterisk you’ll find about this pair. CloudWatch Logs limit the size of one event that it can ingest. That means, if an API call recorded by CloudTrail is larger than 256KB, it will not be accepted by CloudWatch and therefore will not trigger any alarms. AWS documentation points out that to reach this limit, you’d have to make an API call to RunInstances for 500 instances. But surely there are other, more common API calls that can reach this limit. Or maybe an unauthorized person can send a malicious call that will reach this limit and not be recorded?

All things considered, monitoring CloudTrail with CloudWatch can be useful. But I would not advise for it to be the only security monitoring for your AWS account and infrastructure.

Posted in: AWS