The Falco cloudtrail plugin can read AWS CloudTrail logs and emit events for each CloudTrail log entry.
This plug-in also includes out-of-the-box rules that can be used to identify interesting/suspicious/notable events in CloudTrail logs, including:
- Console logins that do not use multi-factor authentication
- Disabling multi-factor authentication for users
- Disabling encryption for S3 buckets
See the README for information on how to configure the plugin. The plugin initialization and open params strings/objects can be added to
falco.yaml under the
plugins configuration key.
Methods to read AWS CloudTrail logs
The plugin can be configured to read log files from:
- A S3 bucket
- A SQS queue that passes along SNS notifications about new log files
- A local filesystem path
For more information on the open params syntax, see open params.
Terraform Module for CloudTrail | Prerequisites
In order to use the AWS CloudTrail plugin, you must enable CloudTrail logging for the account(s) you want to monitor. This must be done before using the plugin.
In addition, of the three options above, using an SQS queue provides the easiest-to-consume source of logs. With the SQS queue, the plugin can detect when the new log files are written and can automatically consume them.
However, this also requires creating multiple AWS cloud resources, such as SQS queues, SNS topics/subscriptions, IAM policy documents, etc., outside of Falco, which involve multiple manual steps.
To make this process easier, we've created a Terraform module that automatically creates these resources.
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.