Find answers, ask questions, and connect with our
community around the world.

Home Forums AWS AWS Certified Security – Specialty Cloud Trail and "Write-Only" setting

Tagged: ,

  • Cloud Trail and "Write-Only" setting

  • oren

    Member
    May 14, 2020 at 2:07 am

    For the question “A company is setting up a monitoring system that consists of AWS CloudTrail, Amazon SNS and Amazon CloudWatch Events with a custom rule that sends out security alerts to the IT Security team whenever a specific IAM access key is used. However, the security alerts are still not being sent to the Security team. What should be done to resolve this issue?”

    the correct answer is “Ensure that the trail’s management events are configured as Write-only or All.”

    But I (almost) didn’t choose this answer because I thought that if you set the Trail to “Write-only”, that a simple use of an IAM access key wouldn’t be logged – and therefore the Trail wouldn’t work for this purpose. I’m not sure if that’s the case but it seems logical that simply logging in with and *using* the access key for like a lookup of something wouldn’t be logged as a “write” operation. Am I wrong?

  • Jon-Bonso

    Administrator
    May 15, 2020 at 10:23 am

    Hi Oren,

    Thank you for posting your question. This scenario is actually based on this AWS article:

    https://aws.amazon.com/premiumsupport/knowledge-center/track-access-key-credential/

    “You must have a trail enabled to send notifications to an SNS topic or SQS queue. Your trail’s management events must be configured as Write-only or All.”


    The scenario says that security alerts are still not being sent. There is a possibility that the access key is heavily used for write-operations such as “RunInstances” or “TerminateInstances” API operations that modify your resources, and not read-operations. If the trail is only set to track Read-only events, then these write-operations would obviously be not recorded. On this premise, the proposed solution was to configure the Management Events of the trail to either “Write-only” or “All” setting.

    I understand your point: If a particular access key is simply used to list down all EC2 instances (DescribeInstances), show the list of S3 buckets or any Read-only operations using the AWS CLI, then there will be no trace in the trail since it is only set to log “Write-only” event. However, I deliberately didn’t include the complete information in the scenario to make it on par with the style of the official AWS exam. The real test is quite concise and doesn’t divulge the whole information. It will truly test the depth of your security knowledge in AWS and your troubleshooting skills as well.

    Again, the idea in this scenario is that: the access key is presumably used invoke write operations in your AWS account but the trail is only set to track Read-Only events. If this scenario says that the “access key is invoking write events such as TerminateInstances, RunInstances et cetera ” upfront, then it would be easily answered since there is already a “write-only” keyword in one of the options. In the actual AWS exam, you will rarely see a scenario where the root cause is quite apparent.

    The AWS Security Specialty exam has a lot of troubleshooting scenarios similar to this one. You can see it in the official AWS Exam Guide -> Domain 2: Logging and Monitoring -> 2.2 Troubleshoot security monitoring and alerting.

    https://d1.awsstatic.com/training-and-certification/docs-security-spec/AWS-Certified-Security-Specialty_Exam-Guide.pdf

    Regards,

    Jon Bonso @ Tutorials Dojo

  • oren

    Member
    May 15, 2020 at 12:34 pm

    Thanks for that detailed explanation. Much appreciated.

  • Jon-Bonso

    Administrator
    May 15, 2020 at 2:29 pm

    You’re welcome, Oren.

    Let us know if you need further assistance. The Tutorials Dojo team is dedicated to help you pass your AWS exam on your first try!

    Regards,

    Jon Bonso @ Tutorials Dojo

Viewing 1 - 4 of 4 replies

Log in to reply.

Original Post
0 of 0 posts June 2018
Now