AWS recently announced Security Analytics Bootstrap, an open source framework to perform security investigations on AWS service logs using an Amazon Athena analysis environment.
AWS Security Analytics Bootstrap starts a AWS CloudFormation template that allows customers to perform investigations on common AWS service logs stored in Amazon S3. The tool currently supports the logs from AWS CloudTrail, including all management and data events, VPC Flow Logs and Route 53 DNS resolver query logs.
The CloudFormation templates create an Athena analysis environment, AWS serverless interactive query service, AWS Glue databases and tables. Each table schema supports common security investigation requirements, including partitioning and searches across multiple accounts, regions, and dates. The tool requires no code maintenance and deploys everything as infrastructure as code, providing example SQL queries for the most common use cases.
Example of a cross-account deployment, where AWS Security Analytics Bootstrap is in a different account than the S3 logging buckets. Source: https://aws.amazon.com/blogs/opensource/introducing-aws-security-analytics-bootstrap/
Mohit Gadkari, solutions architect at AWS, and Ryan Smith, senior threat detection and incident response consultant at AWS, write:
AWS Security Analytics Bootstrap uses partition projection with Amazon Athena to provide dynamic partitioning across accounts, regions, and dates without any additional infrastructure, code, or frequent maintenance. Partitioning AWS service log data by account, region, and date allows AWS customers to create targeted queries and reduce their cost and query times.
Among the suggested use cases for the tool are searching AWS service logs natively in AWS, troubleshooting deployments without a security information and event management (SIEM), searching logs beyond the SIEM retention period and investigations of AWS accounts without centralized logs.
Radoslaw Gola, cloud developer, suggests:
Looks really solid. I'm wondering how this could scale up on a bigger cloud system - have you maybe considered incorporating ServiceLens in order to elevate this functionality also to multi-region and multi-account level?
The project is available on GitHub under the Apache 2.0 license and Smith highlights the simplicity of the deployment:
The environment includes configurations often required or recommended for production use, and is ready to use out of the box for most common use cases. We're actively working on new features and welcome feedback and requests.
The main template can be deployed by itself or combined with additional templates to cover specific use cases and requirements, for example to enable flow logs or to run queries for Amazon Route 53 Resolver Query Log.
Corey Quinn in his newsletter comments:
"An open source framework" is a pretty lofty description for "a CloudFormation template that spins up a bunch of AWS services that will cost you money".
There are no direct costs associated with the CloudFormation templates but by installing AWS Security Analytics Bootstrap, customers will incur charges from Amazon Athena, Amazon S3 and AWS KMS.