CloudTrail Events

The Falco cloudtrail plugin can read AWS CloudTrail logs and emit events for each CloudTrail log entry.

This plug-in also includes out-of-the-box rules that can be used to identify interesting/suspicious/notable events in CloudTrail logs, including:

• Console logins that do not use multi-factor authentication
• Disabling multi-factor authentication for users
• Disabling encryption for S3 buckets

Configuration

See the README for information on how to configure the plugin. The plugin initialization and open params strings/objects can be added to falco.yaml under the plugins configuration key.

Methods to read AWS CloudTrail logs

The plugin can be configured to read log files from:

• A S3 bucket
• A SQS queue that passes along SNS notifications about new log files
• A local filesystem path

For more information on the open params syntax, see open params.

Terraform Module for CloudTrail | Prerequisites

In order to use the AWS CloudTrail plugin, you must enable CloudTrail logging for the account(s) you want to monitor. This must be done before using the plugin.

In addition, of the three options above, using an SQS queue provides the easiest-to-consume source of logs. With the SQS queue, the plugin can detect when the new log files are written and can automatically consume them.

However, this also requires creating multiple AWS cloud resources, such as SQS queues, SNS topics/subscriptions, IAM policy documents, etc., outside of Falco, which involve multiple manual steps.

To make this process easier, we've created a Terraform module that automatically creates these resources.