AWSOverview
AWS CloudTrail is a web service that records AWS API calls made in a given AWS account. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. CloudTrail uses Amazon S3 for log file storage and delivery, so log files are stored durably. In addition to capturing CloudTrail logs within a specified S3 bucket for long term analysis, realtime analysis can be performed by configuring CloudTrail to send logs to CloudWatch Logs. For a trail that is enabled in all regions in an account, CloudTrail sends log files from all those regions to a CloudWatch Logs log group. It is recommended that CloudTrail logs be sent to CloudWatch Logs.
Note: The intent of this recommendation is to ensure AWS account activity is being captured, monitored, and appropriately alarmed on. CloudWatch Logs is a native way to accomplish this using AWS services but does not preclude the use of an alternate solution.
Rationale
Sending CloudTrail logs to CloudWatch Logs will facilitate real-time and historic activity logging based on user, API, resource, and IP address, and provides opportunity to establish alarms and notifications for anomalous or sensitivity account activity.
Remediation guidance
Perform the following to establish the prescribed state:
Via the AWS management Console
- Sign in to the AWS Management Console and open the CloudTrail console at https://console.aws.amazon.com/cloudtrail/
- Under All Buckets, click on the target bucket you wish to evaluate
- Click Properties on the top right of the console
- Click
Trailsin the left menu - Click on each trail where no
CloudWatch Logsare defined - Go to the
CloudWatch Logssection and click onConfigure - Define a new or select an existing log group
- Click on
Continue - Configure IAM Role which will deliver CloudTrail events to CloudWatch Logs
- Create/Select an
IAM RoleandPolicy Name - Click
Allowto continue
Via CLI
aws cloudtrail update-trail --name <trail_name> --cloud-watch-logs-log-group-arn <cloudtrail_log_group_arn> --cloud-watch-logs-role-arn <cloudtrail_cloudwatchLogs_role_arn>
Impact
Note: By default, CloudWatch Logs will store Logs indefinitely unless a specific retention period is defined for the log group. When choosing the number of days to retain, keep in mind the average days it takes an organization to realize they have been breached is 210 days (at the time of this writing). Since additional time is required to research a breach, a minimum 365 day retention policy allows time for detection and research. You may also wish to archive the logs to a cheaper storage service rather than simply deleting them. See the following AWS resource to manage CloudWatch Logs retention periods:
- https://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/SettingLogRetention.html
References
- https://aws.amazon.com/cloudtrail/
- CCE-78916-4
- CIS CSC v6.0 #6.6, #14.6
Service-wide remediation
Recommended when many resources are affected: fix the platform baseline first so new resources inherit the secure setting, then remediate the existing flagged resources in batches.
AWS
Use AWS Organizations guardrails, AWS Config rules or conformance packs where they fit, approved account baselines, and IaC modules so new resources inherit the secure setting.
Operational rollout
- Fix the baseline first at the account, subscription, project, cluster, or tenant scope that owns this control.
- Remediate the currently affected resources in batches, starting with internet-exposed and production assets.
- Re-scan and track approved exceptions with an owner and expiry date.
Query logic
These are the stored checks tied to this control.
CloudTrail trails are integrated with CloudWatch Logs
Connectors
Covered asset types
Expected check: eq []
AWSLogging4{...AssetFragment}
