Sending Clumio Audit Logs to AWS CloudTrail Lake
With the release of CloudTrail Lake, AWS has made it simpler to manage audit logs from disparate sources. CloudTrail Lake is a managed security and audit data lake that lets organizations aggregate, immutably store, and query events recorded by AWS CloudTrail. This can be done across different regions and accounts - and is backed by a 7-year default retention policy to help you meet compliance requirements.
Customers can ingest and analyze events in an AWS CloudTrail compatible schema from Clumio, as well as other third-party and non-AWS sources to streamline auditing, security investigation, and operational troubleshooting.
Once the integration is enabled, you’ll be able to capture and store audit activity across various categories. This will allow you to easily answer many security and compliance-related questions across various categories such as:
- Authentication - Was there a high volume of unsuccessful logins to the Clumio console, indicating a brute force entry attempt or an issue with your Single Sign On provider?
- User Management - When was a user added to the Development Organization in Clumio, and when were they given the backup Admin role?
- Backups - When was a backup policy accidentally changed? This will help you quickly determine when a backup policy was changed or created to ensure you’re always meeting both long-term compliance requirements and maintaining any minimum required RPO’s (recovery point objectives).
- Restores - Is someone browsing the CEO’s email history, or trying to recover Payroll information from a system backup? This activity is tracked even if a restore hasn’t been initiated.
- S3 Protection Groups - When was a new S3 production bucket added to a protection group? Why was a bucket removed?
Configuration
- Get Clumio's External ID
First, in Clumio, navigate directly to the Administration > Security page. Click Edit in the AWS CloudTrail integration panel.
You must have the Super Admin role to set up the integration.
Copy the external ID unique to your integration with CloudTrail. Copy this value, and continue to setup the next portion of the integration in AWS directly. - Configure the integration in AWS
After logging on to the AWS Console, navigate to CloudTrail, where you will find a new Integrations section under Lake. Click Add Integration to configure the Clumio integration.
You can find detailed documentation on CloudTrail Lake here.
You’ll need to give a name to the channel that Clumio will use to send the audit logs data and then select Clumio as the source. - Next, you need a location to deliver the Clumio audit logs and determine how long you would like to get the logs. You can either use an existing event data store or create a new one for this integration.
- Configure the resource policy that provides Clumio with a secure way to send the audit log data across the channel. Paste in the external ID we copied from the Clumio interface.
- Lastly, apply any tags you may want to add to the resource and select Add Integration.
The integration is now set up, - Copy the Channel ARN value and bring it back to Clumio, to complete the setup.
- Connect your Clumio environment to CloudTrail Lake.
Return to the Clumio console and add the Channel ARN value, then click Connect to CloudTrail.
An initial event will be sent to the CloudTrail Lake event data store, allowing you to verify connectivity. From there, your Clumio audit events will be regularly sent to the CloudTrail Lake data store.
Additionally, you’ll be able to monitor the health of the integration at any time through the Audit Log report. - Query logs from CloudTrail Lake.
CloudTrail Lake allows you to write robust SQL-based queries on the Clumio audit events sent to the event data store.
Here's an example query that shows all recent audit logs from Clumio
SELECT eventData.uid, eventData.eventTime, eventData.eventname, eventData.additionaleventdata, eventData FROM [event_data_store_id] ORDER BY eventTime DESC
Audit Event Categories
This is a list of all audit event categories that are sent to CloudTrail as part of this integration:
- Authentication
- Datasource
- Policy
- S3 Protection
- Restore
- Backup
- Users
- Organizational Unit
- KMS Config
- SSO/MFA
- CloudFormation template
Architectural Diagram
Updated 9 months ago