How-To: Export your Cloud PKI Logs to CloudWatch

Prerequisites

• The Keytos Entra ID application is registered in your tenant
• You have an active EZCA plan

How To Export Your Cloud PKI Audit Logs To CloudWatch

How To Enable Log Export in EZCA Portal

1. Go to the EZCA Portal.

2. Click on Settings.

   

3. Expand your subscription’s Advanced Settings.

   

4. Enable the Send Audit Logs to SIEM option.

   

How To Configure CloudWatch Logs in the CloudWatch Portal

1. Open your CloudWatch Portal in a new browser tab.

2. In the top right corner, locate your AWS Region and make a note of it.

   

3. From the left-hand menu, under Setup, click on Settings.

   

4. Go to the Logs tab. In the API Keys section, click Create.

   

5. Choose your preferred API key expiration, then click Generate.

   

6. After the key is generated, copy and save it immediately. You will not be able to view it again after leaving this page.

   

7. Navigate to Log Management under Logs in the left-hand menu. Select the Log Group where you want to deliver your logs.

   

8. Click the Actions dropdown, then select Edit bearer token authentication.

   

9. When prompted, enable bearer token authentication by selecting Yes.

   

10. Confirm that bearer token authentication is enabled.

    

11. Identify and note the log stream where you want your logs delivered.

    

How To Configure the CloudWatch SIEM in EZCA Portal

1. Now go back to the EZCA Portal.

2. Select CloudWatch as the SIEM Provider.

   

3. Input the values that you copied from the CloudWatch portals. Then, click Test Connection. This will create a test log in your CloudWatch SIEM (please allow a few minutes for the log to show up in the CloudWatch portal).

   

4. If the connection test is successful, click Save changes

   

5. EZCA will now send your security alerts to your SIEM. If an error occurs it will email your subscription administrators. See below to see the different events EZCA will send.

How To Create Alerts in CloudWatch to Monitor Your Cloud PKI Activity

We recommend setting up alerts for any high criticality event, and closely monitor medium and low events. To setup alerts in CloudWatch go to Actions -> Create metric filter within your log group. Here are some example filters to get you started:

Certificate Request Denied (Event ID 4888)

Certificate request denied is an event that is created when a user requests a certificate that they do not have permission to request. It is important to alert on this event since it can be an attacker attempting to escalate privileges by requesting a certificate.

{ $.event.EventID = 4888 && $.source = "EZCA" }

CA Permission Changed (Event ID 4882)

CA Permission Changed is an event that is created when a user changes the security permissions for a CA. This event should be monitored since it is a low frequency high impact action that could indicate a compromise to your PKI administrator’s accounts.

{ $.event.EventID = 4882 && $.source = "EZCA" }

CA Changes Denied (Event ID 92)

CA Permission Denied is an event that is created when a user attempts to change the security permissions for a CA without having the proper security permissions. It is important to alert on this event since it can be an attacker attempting to escalate privileges by changing the security configuration of your certificate authority.

{ $.event.EventID = 92 && $.source = "EZCA" }

Deleted CA (Event ID 19)

CA Deleted is an event that is created when a user deletes a CA. This event should be monitored since it is a low frequency high impact action that could indicate a compromise to your PKI administrator’s accounts.

{ $.event.EventID = 19 && $.source = "EZCA" }

What Logs are Sent to CloudWatch?

EZCA sends the following log types to your SIEM:

CA Operation Events

Certificate Operation Events