As an analyst or incident responder operating in a cloud environment, you are going to frequently be performing log analysis to uncover and investigate malicious activity.
This article provides an overview of how to extract CloudTrail logs from Amazon Web Services (AWS) for the purpose of log analysis. CloudTrail is a service that records AWS API calls at the management event level, and data event level if configured. It is turned on by default and stores logs in the CloudTrail portal for 90 days. To extend the retention of the logs past 90 days, a trail must be configured to send the logs to an S3 bucket.
The article discusses three methods of extracting logs from an S3 bucket: the web console, the AWS CLI, and API-based GUI tools. The web console is limited to 90 days and 50 events at a time, and sorting is not available if there are over 999 files. The AWS CLI is a more efficient method, as it allows for the downloading of multiple files at once. The command line associated with copying logs out of S3 using the AWS CLI is: aws s3 cp s3:///AWSLogs . --recursive. The other command capable of performing a download of logs from the S3 bucket is sync. Lastly, third-party tools are available that provide GUI-based interfaces for exploring S3 buckets and support multi-threaded downloads for accelerated transfer.
In conclusion, this article provides an overview of how to extract CloudTrail logs from AWS for the purpose of log analysis. It discusses three methods of extracting logs from an S3 bucket: the web console, the AWS CLI, and API-based GUI tools. Each method has its own advantages and limitations, and the most suitable method will depend on the use case.
📓 AWS Cloud Log Extraction
👉🏽 As an analyst or incident responder operating in a cloud environment, you are going to frequently be performing log analysis to uncover and investigate malicious activity. 👉🏽 Overview of extracting CloudTrail logs from AWS for log analysis 👉🏽 CloudTrail records AWS API calls at event level 👉🏽 Logs stored in CloudTrail portal for 90 days 👉🏽 Trails must be configured to extend retention past 90 days 👉🏽 Three methods of extracting logs from S3 bucket 👉🏽 Web console limited to 90 days and 50 events at a time 👉🏽 AWS CLI more efficient for downloading multiple files at once 👉🏽 Commands for copying logs and using sync for downloads 👉🏽 Third-party tools available for GUI-based interfaces and accelerated transfer 👉🏽 Suitable method depends on use case; consider advantages and limitations of each method.
🔗 source link: https://www.sans.org/blog/aws-cloud-log-extraction/
#CloudTrail #AWS #loganalysis #S3bucket #extractionmethods