Varna – AWS CloudTrail Monitoring with EQL

Varna is an AWS serverless cloud security tool that parses and alerts on CloudTrail logs using Event Query Language (EQL). Varna is deployed as a lambda function, for scanning and serving web requests, and a dynamodb table, for keeping track of seen alerts.

The tool is cheap & efficient to run, costing less than 15 dollars a month with proper configuration and ingesting alerts as soon as CloudTrail stores them in S3.

Varna - AWS CloudTrail Monitoring with EQL
Varna – AWS CloudTrail Monitoring with EQL

Current supported features are:

  • Quick setup, takes less than 10 minutes to setup & deploy using Zappa.
  • Easy to enable slack & email notifications.
  • Rules are quick to write and easy to understand.
  • Easy to enable user authentication.
  • Simple code, readable by a single human in a couple of hours.
  • Past search in the web console for finding additional context.

Some of the rules by default:

  • bucket_logging_disabled – verify that the bucket logging is enabled
  • consolelogin – Alert for Console Login without MFA
  • newuser – Alert for creating new user
  • rootlogin – Alert for console login with user root
  • sg_global_access – Alert for security group that allow any IP to connect over SSH.

If user will look in Trusted Advisor most rules already exist while this tool may allow the monitoring for several accounts against security violation. User may add more rules to monitor AWS.

You can read more and download this tool over here:

Notify of
Inline Feedbacks
View all comments