Connect AWS CloudTrial with Azure Sentinel

What is Azure Sentinel?

Azure Sentinel is a cloud based security solution introduce by security team of Azure. With sentinel it provides a capabilities of a SIEM (Security Information Event Management) run on cloud native way. It provides customers, intelligent security analytics and threat intelligence across the enterprise, using a single solution to provide alerting, take proactive action against detections, threat visibility and threat response.

What is AWS CloudTrail?

AWS CloudTrail is an AWS service that helps you enable governance, compliance, and operational and risk auditing of your AWS account. Actions taken by a user, role, or an AWS service are recorded as events in CloudTrail. Events include actions taken in the AWS Management Console, AWS Command Line Interface, and AWS SDKs and APIs.

AWS CloudTrail Documentation

As a cloud service user, with a new trend most of the organizations are in the process of using Multi Cloud Environment. To manage security and auditing in all those cloud environment will be challenging tasks for administrators and security engineers. So we can use Azure Sentinel to use as the single place to measure all the security related analytics and detection. Azure Sentinel support numerous data connectors that we can leverage.

Connect your AWS CLoudTrail with Azure Sentinel

Before we start following prerequisites needed

Create AWS Role to allow access to AWS CloudTrail

In Azure Sentinel Select Data Connectors

Under Data Connectors Select Amazon Web Service

Click Open Connector page

At the instruction page, note down the Microsoft Account ID and External ID. We need it for AWS Role configuration in next step.

Login to AWS console under the Security, Identity & Compliance, click on IAM

Click Roles, Next Create Role

Under Select type of trust entity, Select Another AWS Account

Provide the Account ID and Extenal ID noted in the previous step.

Click Next and provide the permission needed for the role. Give AWSCloudTrailReadOnlyAccess

Next Provide a Role Name

At final step create the role. Note the Role ARN in the Role summery page.

Go back to to Azure Sentinel AWS Data Connector page and add the AWS Role ARN as below. After the ARN verified AWS connector will communicate with CloudTrail for log read.

After few hours we can notice the logs are pushed to Azure Sentinel

We can use log analytics queries to filter the data that relevant to our use case.

Additional Links