Cloud Console Cartographer is an open-source project that allows IT teams to more easily read and understand cloud logs from AWS.
“If you’ve spent any amount of time digging through logs trying to triage activity in an environment, you’ve probably been overwhelmed with the log data that comes from console activity,” explained Daniel Bohannon, principal threat researcher at Permiso, the company behind the project.
It provides a framework for grouping events together, which is particularly useful because sometimes just a single click from one end user can result in 10s or 100s of events. For example, when a user clicks on “IAM -> Users” in the AWS console, over 300 CloudTrail events are generated.
The solution also parses through cloud logs to enable IT teams to see what the user was seeing in the UI at the time the log was generated. It can show information that was active at the time, including names of the groups, policies, roles, or access keys.
“Permiso and the P0 Labs research team continue to leverage their threat hunting experience by developing tools that help defenders understand and secure their cloud environments,” said Will Bengtson, senior director of security engineering at Hashicorp. “Cloud Console Cartographer helps security teams triage threats more quickly by aggregating log data from AWS console activity and mapping it back to the originating input actions by the user in the UI. This helps security teams cut through the noise and quickly differentiate between intended actions and unintended attacks. Their research and open-source tooling demonstrates the experience they have with helping organizations detect and respond to threats in the cloud.”
The project was released at Black Hat Asia yesterday, and is available on GitHub here.