Cloud Detectie & Logging
Detectie Die Echt Iemand Wakker Maakt
Cloudomgevingen veranderen snel. Daarom moet beveiliging hier standaard en geautomatiseerd meebewegen.
In Cloud Detectie & Logging ontstaat waarde wanneer detectie direct bruikbaar is voor opvolging, niet alleen voor rapportage.
Zo houd je snelheid in de cloud, zonder dat veiligheid afhankelijk wordt van handmatig geluk.
Directe maatregelen (15 minuten)
Waarom dit telt
De kern van Cloud Detectie & Logging is risicoreductie in de praktijk. Technische context ondersteunt de maatregelkeuze, maar implementatie en borging staan centraal.
Verdedigingsmaatregelen
Organization-Wide Trails
# AWS: Configureer een organization trail met data events
aws cloudtrail create-trail \
--name org-comprehensive-trail \
--s3-bucket-name org-audit-central \
--is-organization-trail \
--is-multi-region-trail \
--enable-log-file-validation \
--include-global-service-events \
--kms-key-id arn:aws:kms:eu-west-1:111111111111:key/KEY_ID
# Voeg data events toe
aws cloudtrail put-event-selectors \
--trail-name org-comprehensive-trail \
--advanced-event-selectors '[
{
"Name": "Log all S3 data events",
"FieldSelectors": [
{"Field": "eventCategory", "Equals": ["Data"]},
{"Field": "resources.type", "Equals": ["AWS::S3::Object"]}
]
},
{
"Name": "Log all Lambda invocations",
"FieldSelectors": [
{"Field": "eventCategory", "Equals": ["Data"]},
{"Field": "resources.type", "Equals": ["AWS::Lambda::Function"]}
]
},
{
"Name": "Log all management events",
"FieldSelectors": [
{"Field": "eventCategory", "Equals": ["Management"]}
]
}
]'
# Enable insights
aws cloudtrail put-insight-selectors \
--trail-name org-comprehensive-trail \
--insight-selectors '[
{"InsightType": "ApiCallRateInsight"},
{"InsightType": "ApiErrorRateInsight"}
]'SIEM Integration
# AWS: Stuur CloudTrail naar CloudWatch Logs voor real-time alerting
aws cloudtrail update-trail \
--name org-comprehensive-trail \
--cloud-watch-logs-log-group-arn arn:aws:logs:eu-west-1:111111111111:log-group:CloudTrail:* \
--cloud-watch-logs-role-arn arn:aws:iam::111111111111:role/CloudTrail-CWL-Role
# Creeer metric filters voor verdachte activiteiten
# IAM user creation
aws logs put-metric-filter \
--log-group-name CloudTrail \
--filter-name IAMUserCreation \
--filter-pattern '{ $.eventName = "CreateUser" }' \
--metric-transformations \
metricName=IAMUserCreation,metricNamespace=Security,metricValue=1
# Access key creation
aws logs put-metric-filter \
--log-group-name CloudTrail \
--filter-name AccessKeyCreation \
--filter-pattern '{ $.eventName = "CreateAccessKey" }' \
--metric-transformations \
metricName=AccessKeyCreation,metricNamespace=Security,metricValue=1
# Trust policy modification
aws logs put-metric-filter \
--log-group-name CloudTrail \
--filter-name TrustPolicyChange \
--filter-pattern '{ $.eventName = "UpdateAssumeRolePolicy" }' \
--metric-transformations \
metricName=TrustPolicyChange,metricNamespace=Security,metricValue=1
# Creeer alarms
aws cloudwatch put-metric-alarm \
--alarm-name "IAM-User-Created" \
--metric-name IAMUserCreation \
--namespace Security \
--statistic Sum \
--period 300 \
--threshold 1 \
--comparison-operator GreaterThanOrEqualToThreshold \
--evaluation-periods 1 \
--alarm-actions arn:aws:sns:eu-west-1:111111111111:security-alertsAnomaly Detection
# Azure: KQL query voor anomalous sign-in detection
# In Log Analytics / Azure Sentinel:
# Ongewone sign-in locaties voor service principals
# SigninLogs
# | where AppDisplayName != ""
# | where ResultType == 0
# | summarize
# locations = make_set(Location),
# count = count()
# by AppDisplayName, AppId
# | where array_length(locations) > 3
# AWS: Athena query voor ongewone AssumeRole patronen
# Maak een Athena tabel op de CloudTrail S3 bucket
# en query voor:
# - AssumeRole vanuit onbekende source accounts
# - AssumeRole met ongewoon lange durations
# - AssumeRole met verdachte session names
# GCP: BigQuery export van audit logs
# bq query '
# SELECT
# protopayload_auditlog.authenticationInfo.principalEmail,
# protopayload_auditlog.methodName,
# protopayload_auditlog.requestMetadata.callerIp,
# COUNT(*) as call_count
# FROM `project.dataset.cloudaudit_googleapis_com_activity_*`
# WHERE _TABLE_SUFFIX >= FORMAT_DATE("%Y%m%d", DATE_SUB(CURRENT_DATE(), INTERVAL 7 DAY))
# GROUP BY 1, 2, 3
# HAVING call_count > 100
# ORDER BY call_count DESC
# 'Complete Detection Checklist
+--------------------------------------------+----------+----------+----------+
| Detectie Control | AWS | Azure | GCP |
+--------------------------------------------+----------+----------+----------+
| Multi-region/all-subscription logging | CloudTrail| Activity | Org Audit|
| | org trail| Log | Logs |
+--------------------------------------------+----------+----------+----------+
| Data plane logging | Data | Diagnostic| Data |
| | Events | Settings | Access |
+--------------------------------------------+----------+----------+----------+
| Threat detection service | GuardDuty| Defender | SCC |
| | | for Cloud| |
+--------------------------------------------+----------+----------+----------+
| IAM change alerts | CW Alarm | Sentinel | Cloud |
| | + Filter | Rule | Monitoring|
+--------------------------------------------+----------+----------+----------+
| Anomalous login detection | GuardDuty| Identity | N/A |
| | | Protection| |
+--------------------------------------------+----------+----------+----------+
| Service principal monitoring | IAM | SP Sign- | SA Key |
| | Analyzer | in Logs | Usage |
+--------------------------------------------+----------+----------+----------+
| Cross-account activity monitoring | Org trail| Lighthouse| Org |
| | | audit | Audit |
+--------------------------------------------+----------+----------+----------+
| DNS query logging | Route53 | DNS | Cloud |
| | Query Log| Analytics| DNS Log |
+--------------------------------------------+----------+----------+----------+
| Network flow logging | VPC Flow | NSG Flow | VPC Flow |
| | Logs | Logs | Logs |
+--------------------------------------------+----------+----------+----------+
| Configuration change tracking | Config | Change | Asset |
| | Rules | Tracking | Inventory|
+--------------------------------------------+----------+----------+----------+Referentietabel
| Techniek | MITRE ATT&CK | AWS | Azure | GCP |
|---|---|---|---|---|
| Event selector manipulation | T1562.008 - Disable Cloud Logs | CloudTrail event selectors | Diagnostic settings | Audit config exemptions |
| Region-based evasion | T1562.008 - Disable Cloud Logs | Non-trailed regions | Non-monitored subscriptions | Non-audited projects |
| Non-logged API abuse | T1562.008 - Disable Cloud Logs | Data events (S3, Lambda) | Data plane without diagnostics | Data access without config |
| GuardDuty/Defender evasion | T1562.001 - Disable or Modify Tools | GuardDuty blind spots | Defender for Cloud gaps | SCC detection gaps |
| Cloud Shell as proxy | T1090 - Proxy | AWS CloudShell | Azure Cloud Shell | GCP Cloud Shell |
| Target compute usage | T1584.004 - Server | SSM Session Manager | Azure Bastion | gcloud compute ssh |
| Temporary credentials | T1550.001 - Application Access Token | STS session tokens | Managed Identity tokens | SA access tokens |
| Session name spoofing | T1036 - Masquerading | AssumeRole session name | N/A | N/A |
| User agent manipulation | T1036.005 - Match Legitimate Name | SDK/CLI user agent | REST API user agent | gcloud/API user agent |
| Rate limit awareness | T1029 - Scheduled Transfer | API throttling avoidance | ARM rate limits | Quota-aware operations |
| Log retention exploitation | T1070.009 - Clear Persistence | CloudTrail S3 retention | Activity Log 90-day limit | 400-day log retention |
| False positive generation | T1562.006 - Indicator Blocking | GuardDuty noise | Defender alert flooding | SCC finding noise |
| Trace removal | T1070 - Indicator Removal | Resource deletion | Resource deletion | Resource deletion |
| Credential reset cleanup | T1070.004 - File Deletion | Access key deletion | App credential removal | SA key deletion |
| Config restoration | T1070 - Indicator Removal | Trust policy rollback | Role assignment cleanup | IAM binding removal |
| Managed identity exploitation | T1550.001 - Application Access Token | EC2 instance profile | System/User managed identity | GCE service account |
| Service principal stealth | T1078.004 - Cloud Accounts | N/A | SP sign-in (separate log) | SA token (audit log) |
| DNS-based evasion | T1071.004 - DNS | Route53 resolver logging | Azure DNS Analytics | Cloud DNS logging |
| Data event blind spots | T1530 - Data from Cloud Storage | S3 GetObject (no data events) | Blob read (no diagnostics) | GCS read (no data access) |
Het ultieme inzicht over cloud evasion: de beste manier om niet gedetecteerd te worden is niet het vermijden van logs – het is het genereren van activiteit die er precies zo uitziet als wat er hoort te staan. In een omgeving met duizenden API-calls per minuut is de beste vermomming normaliteit.
Verder lezen in de kennisbank
Deze artikelen in het portaal geven je meer achtergrond en praktische context:
- De cloud — andermans computer, jouw verantwoordelijkheid
- Containers en Docker — wat het is en waarom je het moet beveiligen
- Encryptie — de kunst van het onleesbaar maken
- Least Privilege — geef mensen alleen wat ze nodig hebben
Je hebt een account nodig om de kennisbank te openen. Inloggen of registreren.
Gerelateerde securitymaatregelen
Deze artikelen bieden aanvullende context en verdieping: