Cloudtrail module able to parse encrypted logs?

[Eric Lexcellent]

Hello all

I'm facing an issue when parsing CloudTrail logs for a specific AWS account (works fine with other accounts).

The Cloudtrail logs I have access to are encrypted, which is not the case for the others accounts.

Could you please tell me if wazuh is able to process such logs?

Thanks

Eric  

[Jeremy Phillips]

Hi Eric,

There should be no issue with accessing the logs, as the CloudTrail encryption is all done server side for S3, and doing a 'get object' should return an unencrypted log file.

Are you using SSE-S3, SSE-C, or SSE-KMS for S3 encryption?

If you pull down the CloudTrail log, is it encrypted or is it just a gzip'd json?

Jeremy

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/fc12a25e-5570-481d-838c-4f51aa9fbd84%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Eric Lexcellent]

Hi Jeremy,

Thanks for feedback and sorry for late answer.

In the end, I have setup a dedicated CloudTrail for wazuh as I did for other AWS accounts, and it is working fine. 

Thanks

Eric 

[Jeremy Phillips]

Hi Eric,

I did some testing this morning, and I'm not having any issues using the AWS wodle to gather/parse encrypted CloudTrail logs.  I think the problem you faced may be that CloudTrail is configured to use KMS to encrypt the logs, but the IAM user/role that Wazuh is configured to use to pull down the CloudTrail logs from the S3 bucket does not have sufficient access to the KMS key.

In my testing environment, I used the 'Create a new KMS key' from within the CloudTrail config:

If you look at the key policy that gets defined for this KMS key, it is fairly permissive, but there is an important permission in the statement.  This allows any users within the account to decrypt the files:

{
      "Sid": "Allow principals in the account to decrypt log files",
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": [
        "kms:Decrypt",
        "kms:ReEncryptFrom"
      ],
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "kms:CallerAccount": "123412341234"
        },
        "StringLike": {
          "kms:EncryptionContext:aws:cloudtrail:arn": "arn:aws:cloudtrail:*:123412341234:trail/*"
        }
      }
    }

In my testing environment, I'm assuming an IAM Role in the AWS Account with the access to list/get objects from the S3 bucket for CloudTrail, so it has access to the key.

If I remove this statement from the key policy, the wodle starts failing:

DEBUG: {"aws": {"log_info": {"s3bucket": "myTestBucket", "aws_account_alias": "test-encrypted", "log_file": "AWSLogs/123412341234/CloudTrail/ap-southeast-1/2018/10/05/123412341234_CloudTrail_ap-southeast-1_20181005T1520Z_5lk7llR9Hh81Z9Zt.json.gz"}, "aws_account_id": "123412341234"}, "integration": "aws", "error_msg": "Unkown error reading/parsing file AWSLogs/123412341234/CloudTrail/ap-southeast-1/2018/10/05/123412341234-southeast-1_20181005T1520Z_5lk7llR9Hh81Z9Zt.json.gz: An error occurred (AccessDenied) when calling the GetObject operation: Access Denied"}
DEBUG: ++ File previously processed, but reparse flag set: AWSLogs/123412341234/CloudTrail/ap-southeast-1/2018/10/05/123412341234_CloudTrail_ap-southeast-1_20181005T1520Z_D9uESE0MxVcx3Nse.json.gz
DEBUG: ++ Found new log: AWSLogs/123412341234/CloudTrail/ap-southeast-1/2018/10/05/123412341234_CloudTrail_ap-southeast-1_20181005T1520Z_D9uESE0MxVcx3Nse.json.gz
DEBUG: ++ Unkown error reading/parsing file AWSLogs/123412341234/CloudTrail/ap-southeast-1/2018/10/05/123412341234_CloudTrail_ap-southeast-1_20181005T1520Z_D9uESE0MxVcx3Nse.json.gz: An error occurred (AccessDenied) when calling the GetObject operation: Access Denied; skipping..

So I then added back in the following statement to the KMS key policy:

{
  "Sid": "Allow Wazuh CloudTrail log parser role access to decrypt files",
  "Effect": "Allow",
  "Principal": {
    "AWS": "arn:aws:iam::123412341234:role/myWazuhRoleName"
  },
  "Action": [
    "kms:Decrypt",
    "kms:ReEncryptFrom"
  ],
  "Resource": "*",
  "Condition": {
    "StringLike": {
      "kms:EncryptionContext:aws:cloudtrail:arn": "arn:aws:cloudtrail:*:123412341234:trail/*"
    }
  }
}

After adding this statement into the key policy, Wazuh was again able to download the CloudTrail logs...  

So double check that the key policy you have defined grants the IAM user/role sufficient access.

Thanks,

Jeremy

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/CAL4PmGX5%2Big5NDvvp27VXYKDzEMFQPCcUcxeQn9_87yRitTgFA%40mail.gmail.com.

[Jesus Linares]

Hi Eric, Jeremy,

We created this issue (https://github.com/wazuh/wazuh/issues/1522) with all the features/fixes required for AWS. Feel free to contribute.

Thanks.

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.

To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/fc12a25e-5570-481d-838c-4f51aa9fbd84%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.