CloudTrail Lake Detections

CloudTrail Lake Threat Detections

Threat detection rules built on AWS CloudTrail Lake — SQL-based queries across your entire AWS Organization, with Lambda-based alerting to Slack.

For the full deep-dive on why CloudTrail Lake over EventBridge, the architecture, and all 5 detection patterns, read the blog post: Detection Engineering with CloudTrail Lake at Scale

Detections

- ami_modified_for_public_image
- resource_made_public
- snapshot_made_public
- key_compromised
- security_configuration_change
- codebuild_made_public
- cloudtrail_stopped
- add_admin_permissions

Source

• GitHub: aws-cloudtrail-lake-detections
• Prerequisite: fleet-access (cross-account IAM role structure)

Note: Detection logic forked from Panther Labs CloudTrail Rules, adapted for CloudTrail Lake.