AWSOverview
AWS CloudTrail is a web service that records AWS API calls for your account and delivers log files to you. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. CloudTrail provides a history of AWS API calls for an account, including API calls made via the Management Console, SDKs, command line tools, and higher-level AWS services (such as CloudFormation).
Rationale
The AWS API call history produced by CloudTrail enables security analysis, resource change tracking, and compliance auditing. Additionally,
- ensuring that a multi-regions trail or an organization trail exists will ensure that unexpected activity occurring in otherwise unused regions is detected
- ensuring that a multi-regions trail or an organization trail exists will ensure that
Global Service Loggingis enabled for a trail by default to capture recording of events generated on AWS global services - for a multi-regions trail, ensuring that management events configured for all type of Read/Writes ensures recording of management operations that are performed on all resources in an AWS account
Remediation guidance
AWS Remediation
Service-wide fix (recommended): use an organization trail or at least one multi-region trail in every account, and centralize delivery to a protected S3 bucket.
When to use service-wide remediation
Use the service-wide path when many accounts are affected. CloudTrail is a foundational logging control and should be part of the landing zone, not a manual afterthought.
Console
- Open
CloudTrail. - Go to
Trails. - Create a new trail, or edit the existing trail.
- Enable
Apply trail to all regions. - Make sure management events are enabled for both
ReadandWrite. - Use an approved S3 bucket and, if required by your standard, enable CloudWatch Logs integration and log file validation.
AWS CLI
Create a multi-region trail:
aws cloudtrail create-trail \
--name <trail-name> \
--s3-bucket-name <trail-bucket-name> \
--is-multi-region-trail \
--enable-log-file-validation
Start logging:
aws cloudtrail start-logging --name <trail-name>
Update an existing trail to multi-region:
aws cloudtrail update-trail \
--name <trail-name> \
--is-multi-region-trail \
--enable-log-file-validation
Validate the trail:
aws cloudtrail describe-trails --trail-name-list <trail-name>
aws cloudtrail get-trail-status --name <trail-name>
Operational notes
- An organization trail is usually the cleanest option for multi-account environments.
- Protect the destination S3 bucket with restricted access, versioning, and retention controls so an attacker cannot easily tamper with logs.
- This control is about regional coverage. If data events, Insights, or CloudWatch delivery are also required by your standard, track those separately or add companion controls.
References
- https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-concepts.html
- https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-management-events-with-cloudtrail.html
- https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html
Query logic
These are the stored checks tied to this control.
AWS Multi-region cloud trails with logging enabled
Connectors
Covered asset types
Expected check: eq []
{
AWSLogging1 {...AssetFragment}
}
