Profile Applicability: Level 1


Description: 

AWS CloudTrail is a web service that records AWS API calls for your account and delivers log files to you. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. CloudTrail provides a history of AWS API calls for an account, including API calls made via the Management Console, SDKs, command-line tools, and higher-level AWS services (such as CloudFormation).


Rationale: 

The AWS API call history produced by CloudTrail enables security analysis, resource change tracking, and compliance auditing. Additionally, 

  • Ensuring that a multi-region trail exists will ensure that Global Service Logging is enabled for a trail by default to capture recording of events generated on AWS global services 
  • For a multi-region trail, ensuring that management events configured for all types of Read/Writes ensures recording of management operations that are performed on all resources in an AWS account

Impact: 

AWS CloudTrail increases visibility into your user and resource activity by recording AWS Management Console actions and API calls. You can identify which users and accounts called AWS, the source IP address from which the calls were made, and when the calls occurred.


Default Value: 

By default, cloudtrail is not enabled.


Audit: 

Perform the following to determine if CloudTrail is enabled for all regions: Via the Management Console 

1. Sign in to the AWS Management Console and open the CloudTrail console at             https://console.aws.amazon.com/cloudtrail or search for Cloudtrail on the search bar

2. Click on Trails on the left navigation pane

    You will be presented with a list of trails across all regions 

3. Ensure at least one Trail has YES specified in the Multi-region trail column

       Also, check the below options as well 

4. Click on a trail via the link in the Name column 

5. Ensure trail status is logging

6. Ensure Multi-region trial is set to YES

7. In section Management Events ensure Read/Write Events(API Activity) set to ALL


Via CLI:

aws cloudtrail describe-trails

If you notice "IsMultiRegionTrail": true, in the output it means cloudtrail is enabled in all regions.


Remediation:

If you already have a Cloudtrail that is specific to a region and want to make it Multi-region, follow the steps mentioned in the AWS Cloudtrail document

OR Else

If you want to create a new Cloudtrail to enable global (Multi-region) CloudTrail logging: Via the Management Console 

1. Sign in to the AWS Management Console and open the Cloudtrail console at https://console.aws.amazon.com/cloudtrail or search for cloudtrail on the search bar

2. Click on Trails on the left navigation pane 

3. Click Add new trail (By default trial was set to Multi-region)


Step-1

  1. Enter a trail name in the Trail name box 

  1. Specify an S3 bucket, you can use an existing bucket, or choose a new one. 

  1. Enable SSE-KMS encryption to encrypt log files, you can use existing CMK or you can create new. 

    4. Additional settings. You have an option to enable ‘Log File Validation’ to determine whether a log file was modified, deleted, or unchanged after AWS CloudTrail delivered it and also ‘SNS topic’ to get notifications.

 

            

 

5. Configure CloudWatch Logs to monitor your trail logs and notify you when specific activity occurs. Give the Log Group name and also attach the IAM role to it, you can create a new role or use an existing one.

 

Click ‘Next’


Step-2

  1. Events, Choose the type of events that you want to log.        
  1. Management Events, make sure you allow read, write activities to log. 

 

 

Click ‘Next’

 

Step-3

  1. Review and click create a trail.

 

You are done with creating a new Cloudtrail. 


Via CLI:

create-trail --name <value> --s3-bucket-name <value> --is-multi-region-trail 

 

Note: Creating CloudTrail via CLI without providing any overriding options configures Management Events to set All types of Read/Writes by default.


Backout plan:

  1. Sign in to the AWS Management Console and open the Cloudtrail console at https://console.aws.amazon.com/cloudtrail or search for cloudtrail on the search bar
  2. Click on Trails on the left navigation pane
  3. Select the trail you want to delete and click on Delete



References: 

1.https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrailconcepts.html#cloudtrail-concepts-management-events 

2. https://docs.aws.amazon.com/awscloudtrail/latest/userguide/loggingmanagement-and-data-events-withcloudtrail.html?icmpid=docs_cloudtrail_console#logging-management-events 

3. https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrailsupported-services.html#cloud-trail-supported-services-data-events 


CIS Controls:

6.2 Activate audit logging 

Ensure that local logging has been enabled on all systems and networking devices.