Sending Clumio Audit Logs to AWS CloudTrail Lake

With the release of CloudTrail Lake, AWS has made it simpler to manage audit logs from disparate sources. CloudTrail Lake is a managed security and audit data lake that lets organizations aggregate, immutably store, and query events recorded by AWS CloudTrail. This can be done across different regions and accounts - and is backed by a 7-year default retention policy to help you meet compliance requirements.

Customers can ingest and analyze events in an AWS CloudTrail compatible schema from Clumio, as well as other third-party and non-AWS sources to streamline auditing, security investigation, and operational troubleshooting.

Once the integration is enabled, you’ll be able to capture and store audit activity across various categories. This will allow you to easily answer many security and compliance-related questions across various categories such as:

  • Authentication - Was there a high volume of unsuccessful logins to the Clumio console, indicating a brute force entry attempt or an issue with your Single Sign On provider?
  • User Management - When was a user added to the Development Organization in Clumio, and when were they given the backup Admin role?
  • Backups - When was a backup policy accidentally changed? This will help you quickly determine when a backup policy was changed or created to ensure you’re always meeting both long-term compliance requirements and maintaining any minimum required RPO’s (recovery point objectives).
  • Restores - Is someone browsing the CEO’s email history, or trying to recover Payroll information from a system backup? This activity is tracked even if a restore hasn’t been initiated.
  • S3 Protection Groups - When was a new S3 production bucket added to a protection group? Why was a bucket removed?

Installation Steps

To install:

Step 1: Get Clumio's External ID

Step 2: Configure the Clumio CloudTrail Lake integration

Step 3: Connect your Clumio environment to CloudTrail Lake

Step 4: Try a sample query

1. Get Clumio's External ID

First, in Clumio, navigate directly to the Audit Report page. You’ll see a link to set up the integration in the upper right corner. You must have the Super Admin role to set up the integration.

Screen_Shot_2023-01-27_at_2.35.20_PM.pngOn the next screen, you will see an external ID unique to your integration with CloudTrail. Copy this value, and we will then setup the next portion of the integration in AWS directly.Screen_Shot_2023-01-27_at_1.10.33_PM.png

2. Configure the integration in AWS

After logging into the AWS Console, navigate to CloudTrail, where you will find a new Integrations section under Lake. Click on the Add Integration button to configure the Clumio integration.

(Note: You can find detailed documentation on CloudTrail Lake here.)

You’ll first need to give a name to channel that Clumio will use to send the audit logs data through, and then select Clumio as the source. 

Screen_Shot_2023-01-27_at_1.05.18_PM.png

Next, we will need a place to deliver the Clumio audit logs and determine how long you would like to get the logs. You can either use an existing event data store or create a new one for this integration.

Screen_Shot_2023-01-27_at_1.08.48_PM.png

Next, we’ll configure the resource policy which is what will provide Clumio with a secure way to send the audit log data across the channel. This is where we will paste in the external ID we copied from the Clumio interface.

Screen_Shot_2023-01-27_at_1.13.22_PM.png

Lastly, apply any tags you may want to add to the resource and select Add Integration.
The integration is now set up, however, we have one final step. We need to copy the Channel ARN value and bring it back to Clumio, so we can complete the setup. 

Screen_Shot_2023-01-27_at_1.17.14_PM.png

3. Connect your Clumio environment to CloudTrail Lake

Return to the Clumio console and add the Channel ARN value, then click on Connect to CloudTrail.

Screen_Shot_2023-01-27_at_1.18.01_PM.png

An initial event will be sent to the CloudTrail Lake event data store, allowing you to verify connectivity. From there, your Clumio audit events will be regularly sent to the CloudTrail Lake data store.

Additionally, you’ll be able to monitor the health of the integration at any time through the Audit Log report. 

Screen_Shot_2023-01-27_at_2.37.00_PM.png

4. Query logs from CloudTrail Lake

CloudTrail Lake allows you to write robust SQL-based queries on the Clumio audit events sent to the event data store. 

Here's an example query that shows all recent audit logs form Clumio

SELECT eventData.uid, eventData.eventTime, eventData.eventname, eventData.additionaleventdata, eventData FROM [event_data_store_id] ORDER BY eventTime DESC

Audit Event Categories

Below is a list of all audit event categories that are sent to CloudTrail as part of this integration:

  • Authentication
  • Datasource
  • Policy
  • S3 Protection
  • Restore
  • Backup
  • Users
  • Organizational Unit
  • KMS Config
  • SSO/MFA
  • CloudFormation template

Architectural Diagram