The Threat Stack CloudTrail Base Ruleset has several out-of-the-box rules that alert users on activity within some of AWS’s most popular services (also the ones most prone to attack), including S3, IAM, Glacier, and Lambda. Given that AWS has over 100 services, we want to arm you with the ability to create custom CloudTrail rules in the Threat Stack Cloud Security Platform® based on the specific AWS services you leverage.
In this post, we cover three examples of one of Threat Stack’s most powerful capabilities — the ability to create, clone, and edit CloudTrail-specific rules. We briefly discuss the scenario that explains why we’re crafting the rule and why it’s important to our organization; we also look at the methodology for creating the rule; and finally we test the rule to make sure it works.
In the three examples that follow, we explain how to create custom rules for Route53, DynamoDB, and EBS Volumes. Read more “Creating Custom CloudTrail Rules in Threat Stack”