The Global Intelligence for AWS CloudTrail App enables you to detect potentially malicious configuration changes in your AWS account by comparing AWS CloudTrail events in your account against a cohort of AWS customers. CloudTrail events are curated from AWS penetration tests and operational best practices.
The App dashboard displays enable you to determine the following:
- How your attack surface compares to your peers
- MITRE Attack Framework tactics that are evident in your organization compared to your peers. MITRE ATT&CK is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations.
- Resources that are impacted
- An action plan to improve security posture in your AWS infrastructure
The current scope of this application includes the following AWS services and associated resource types:
- Amazon EC2: count of compute instances, security groups, route tables and Amazon Machine Images
- Amazon S3: count of buckets
- Amazon RDS: count of database instances, DB security groups
- Amazon Redshift: count of database clusters and parameter groups
- AWS Lambda: count of function names
- AWS IAM: count of IAM users, roles and groups
- AWS CloudTrail: counts of trail instances
Global Intelligence for AWS CloudTrail App uses AWS CloudTrail logs.