Profile Applicability: Level 1
AWS CloudTrail is a web service that records AWS API calls for your account and delivers log files to you. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. CloudTrail provides a history of AWS API calls for an account, including API calls made via the Management Console, SDKs, command-line tools, and higher-level AWS services (such as CloudFormation).
The AWS API call history produced by CloudTrail enables security analysis, resource change tracking, and compliance auditing. Additionally,
- Ensuring that a multi-region trail exists will ensure that Global Service Logging is enabled for a trail by default to capture recording of events generated on AWS global services
- For a multi-region trail, ensuring that management events configured for all types of reading/Writes ensures recording of management operations that are performed on all resources in an AWS account
AWS CloudTrail increases visibility into your user and resource activity by recording AWS Management Console actions and API calls. You can identify which users and accounts called AWS, the source IP address from which the calls were made, and when the calls occurred.
By default, cloud trail is not enabled.
Sign in to the AWS Management Console
open the CloudTrail console at https://console.aws.amazon.com/cloudtrail
Click on Trails on the left navigation pane
Click on CloudTrail which You want to examine
Ensure at least one Trail has YES specified in the Multi-region trail column
Using AWS CLI:
If you notice "IsMultiRegionTrail": true, in the output it means cloudtrail is enabled in all regions.
aws cloudtrail describe-trails
Note: There is no possible way to make yes in a CloudTrail from the console once the Log group is already created
However, can modiy using AWS CLI.
If you already have a Cloudtrail that is specific to a region and want to make it Multi-region, follow the steps mentioned in the AWS Cloudtrail document
If you want to create a new Cloudtrail to enable global (Multi-region) CloudTrail logging: Via the Management Console
1. Sign in to the AWS Management Console and open the Cloudtrail console at https://console.aws.amazon.com/cloudtrail or search for cloudtrail on the search bar
2. Click on Trails on the left navigation pane
3. Click Add new trail (By default trial was set to Multi-region)
- Enter a trail name in the Trail name box
- Specify an S3 bucket, you can use an existing bucket, or choose a new one.
- Enable SSE-KMS encryption to encrypt log files, you can use existing CMK or you can create new.
4. Additional settings. You have an option to enable ‘Log File Validation’ to determine whether a log file was modified, deleted, or unchanged after AWS CloudTrail delivered it and also ‘SNS topic’ to get notifications.
5. Configure CloudWatch Logs to monitor your trail logs and notify you when specific activity occurs. Give the Log Group name and also attach the IAM role to it, you can create a new role or use an existing one.
- Events, Choose the type of events that you want to log.
- Management Events, make sure you allow read, write activities to log.
- Review and click create a trail.
Using AWS CLI:
create-trail --name <value> --s3-bucket-name <value> --is-multi-region-trail
Note: Creating CloudTrail via CLI without providing any overriding options configures Management Events to set All types of Read/Writes by default.
- Sign in to the AWS Management Console and open the Cloudtrail console at https://console.aws.amazon.com/cloudtrail or search for cloudtrail on the search bar
- Click on Trails on the left navigation pane
- Select the trail you want to delete and click on Delete
Using AWS CLI:
6.2 Activate audit logging
Ensure that local logging has been enabled on all systems and networking devices.