Many of our AWS customers are storing their critical files on S3, and for various security and compliance reasons, those files need to be monitored to see if any are being accessed, altered, or deleted.
To help ensure the integrity of the files in S3 buckets, Threat Stack now supports alerting on access and changes to files in specific buckets. AWS now has capabilities for putting object level access into CloudTrail events, and we have added rules to our base rule set to support that feature.
Event Names and User Actions
To create rules that monitor on particular actions on files, customers can use the associated CloudTrail name in their Threat Stack rules. The following table lists Event Names that are generated when specific User Actions occur.
|User Action||CloudTrail Event Name|
|Download a file in a bucket||GetObject|
|Delete a file or upload a new file in a bucket||PutObject|
|Access the bucket||ListObjects|
|Access the policy of a bucket||GetObjectAcl|
|Upload a new policy on a bucket||PutObjectAcl|
|Access meta data on a bucket||HeadObject|
New Threat Stack FIM Features
The Threat Stack base rule set has been updated to alert when files in critical buckets are accessed or deleted:
eventName = “PutObjectAcl” or eventName = “GetObjectAcl” or eventName = “GetObject” or eventName = “PutObject” or eventName = “ListObjects” or eventName = “HeadObject”) and bucketName = “xxx”
Customers need to replace xxx with the bucket name that they want to monitor.
In addition to creating alerts, customers can also search on corresponding events:
Final Word . . .
We’re continually adding to and improving the Threat Stack intrusion detection platform. Stay tuned to our blog to learn about new and enhanced features as they are released.