TrailShark: Enhance AWS Security with Near-Real-Time Insights
TrailShark
The TrailShark Capture Utility seamlessly integrates with Wireshark, facilitating the capture of AWS CloudTrail logs directly into Wireshark for near-real-time analysis. This tool can be used for debugging AWS API calls and played a pivotal role in our “Bucket Monopoly Research” project. By leveraging this utility, we were able to understand the internal API calls made by AWS, leading to the discovery of critical vulnerabilities across different services. This insight is invaluable for enhancing security measures and understanding AWS service interactions more deeply.
Feature
- CloudTrail Log Capture: Enables capturing of CloudTrail logs directly from AWS S3 or CloudWatch for comprehensive monitoring. (Tool has the capability )
- Advanced Filtering: Offers custom filters, fields, and color-coding options to highlight interesting or significant events, making analysis more intuitive and efficient.
- Custom Event: Supports the creation of custom events derived from existing ones, allowing for more detailed and targeted analysis of event chains and their impacts.
Known Issues
- Sorting of Events: Events are not automatically sorted due to the inherent delays associated with how CloudTrail logs events. These delays vary depending on the region and the specific AWS service involved. Users can manually sort events using the GUI.
- 1-2 minute delay in event sending due to CloudTrail capabilities (that’s why it’s near-real-time).
- The tool offers two options for pulling data: S3, which is slower, and CloudWatch, which may experience event losses under stress. Choose the best option for your research.
