Cloud Console Cartographer: Open-source tool helps security teams transcribe log activity

Cloud Console Cartographer is an open-source tool that maps noisy log activity into highly consolidated, succinct events to help security practitioners cut through the noise and understand console behavior in their environment.

Cloud Console Cartographer

“Infrastructure as code has replaced a lot of the need for console access for many organizations, but there are still plenty of instances where the console is still being used, and in some cases, you need to use the AWS console to perform certain actions. Cloud Console Cartographer cuts through the noise generated in logs by those console sessions,” Daniel Bohannon, Permiso’s Principal Threat Researcher, told Help Net Security.

When users access the AWS console and click on IAM → Users, that single action creates 300+ CloudTrail events. The console events that show in CloudTrail are API calls that ultimately populate what is displayed within the user interface. A console session, therefore, can have far more events than the actual inputs or actions (such as clicking on an IAM homepage), and these events are never explicitly associated with the user’s actions.

Reviewing these logs, you might see events in CloudTrail such as iam:ListMFADevices or iam:ListAccessKeys. This can be confusing because this user didn’t take any action in the UI to list MFA devices or Access Keys. This user clicked on the IAM homepage, which triggered these events to populate that information in the console UI.

Security professionals are left trying to differentiate API calls invoked explicitly by a user from those secondary API invocations that create events to support the behavior or actions being conducted in the console UI. Threat actors leveraging console and other UIs have been observed, knowing how confusing this log data can be to incident responders and blue teamers.

Cloud Console Cartographer processes raw events in a log and can determine and group a series of 17 events that they see in CloudTrail, such as someone clicking a particular button in the UI. It even parses additional data from these secondary events to provide more context about what the user was seeing in the console, like the names of the groups, policies, roles, or access keys that were active at the time the click occurred. The ability to correlate and reduce these events into singular actions helps security teams gain a quick understanding of what activity was conducted in console, something that is difficult to do today.

Cloud Console Cartographer is available for free on GitHub.

Must read:

Don't miss