The Hunters Hut
The Hunters Hut

AWS Cloud Log Extraction

property
value
tags
aws-cloud,cloud-forensics,cloud-tactics
url
https://www.sans.org/blog/aws-cloud-log-extraction/
original_word_count
1431

Article Excerpt

As an analyst or incident responder operating in a cloud environment, you are going to frequently be performing log analysis to uncover and investigate malicious activity.

Long Summary

This article provides an overview of how to extract CloudTrail logs from Amazon Web Services (AWS) for the purpose of log analysis. CloudTrail is a service that records AWS API calls at the management event level, and data event level if configured. It is turned on by default and stores logs in the CloudTrail portal for 90 days. To extend the retention of the logs past 90 days, a trail must be configured to send the logs to an S3 bucket.

The article discusses three methods of extracting logs from an S3 bucket: the web console, the AWS CLI, and API-based GUI tools. The web console is limited to 90 days and 50 events at a time, and sorting is not available if there are over 999 files. The AWS CLI is a more efficient method, as it allows for the downloading of multiple files at once. The command line associated with copying logs out of S3 using the AWS CLI is: aws s3 cp s3:///AWSLogs . --recursive. The other command capable of performing a download of logs from the S3 bucket is sync. Lastly, third-party tools are available that provide GUI-based interfaces for exploring S3 buckets and support multi-threaded downloads for accelerated transfer.

In conclusion, this article provides an overview of how to extract CloudTrail logs from AWS for the purpose of log analysis. It discusses three methods of extracting logs from an S3 bucket: the web console, the AWS CLI, and API-based GUI tools. Each method has its own advantages and limitations, and the most suitable method will depend on the use case.

Short Summary

šŸ““ AWS Cloud Log Extraction

šŸ‘‰šŸ½ As an analyst or incident responder operating in a cloud environment, you are going to frequently be performing log analysis to uncover and investigate malicious activity. šŸ‘‰šŸ½ Overview of extracting CloudTrail logs from AWS for log analysis šŸ‘‰šŸ½ CloudTrail records AWS API calls at event level šŸ‘‰šŸ½ Logs stored in CloudTrail portal for 90 days šŸ‘‰šŸ½ Trails must be configured to extend retention past 90 days šŸ‘‰šŸ½ Three methods of extracting logs from S3 bucket šŸ‘‰šŸ½ Web console limited to 90 days and 50 events at a time šŸ‘‰šŸ½ AWS CLI more efficient for downloading multiple files at once šŸ‘‰šŸ½ Commands for copying logs and using sync for downloads šŸ‘‰šŸ½ Third-party tools available for GUI-based interfaces and accelerated transfer šŸ‘‰šŸ½ Suitable method depends on use case; consider advantages and limitations of each method.

šŸ”— source link: https://www.sans.org/blog/aws-cloud-log-extraction/

šŸ”— summarized content: https://hut.threathunterz.com/battlefield-intel/articles-and-reports/aws-cloud-log-extraction

#CloudTrail #AWS #loganalysis #S3bucket #extractionmethods