Profile Applicability: Level 1


Description: 

AWS CloudTrail is a web service that records AWS API calls for your account and delivers log files to you. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. CloudTrail provides a history of AWS API calls for an account, including API calls made via the Management Console, SDKs, command line tools, and higher-level AWS services (such as CloudFormation).


Rationale: 

The AWS API call history produced by CloudTrail enables security analysis, resource change tracking, and compliance auditing. Additionally, 

  • Ensuring that a multi-regions trail exists will ensure that unexpected activity occurring in otherwise unused regions is detected 
  • Ensuring that a multi-regions trail exists will ensure that Global Service Logging is enabled for a trail by default to capture recording of events generated on AWS global services 
  • For a multi-regions trail, ensuring that management events configured for all type of Read/Writes ensures recording of management operations that are performed on all resources in an AWS account


Audit: 

Perform the following to determine if CloudTrail is enabled for all regions: Via the management Console 

1. Sign in to the AWS Management Console and open the CloudTrail console at https://console.aws.amazon.com/cloudtrail 

2. Click on Trails on the left navigation pane

    You will be presented with a list of trails across all regions 

3. Ensure at least one Trail has All specified in the Region column 

4. Click on a trail via the link in the Name column 

5. Ensure Logging is set to ON 

6. Ensure Apply trail to all regions is set to Yes 

7. In section Management Events ensure Read/Write Events set to ALL


Remediation:

Perform the following to enable global (Multi-region) CloudTrail logging: Via the management Console 

1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/cloudtrail 

2. Click on Trails on the left navigation pane 

3. Click Get Started Now , if presented 

Click Add new trail 

Enter a trail name in the Trail name box 

Set the Apply trail to all regions option to Yes 

Specify an S3 bucket name in the S3 bucket box 

Click Create

4. If 1 or more trails already exist, select the target trail to enable for global logging 

5. Click the edit icon (pencil) next to Apply trail to all regions , Click Yes and Click Save. 

6. Click the edit icon (pencil) next to Management Events click All for setting Read/Write Events and Click Save.

Note: Creating CloudTrail via CLI without providing any overriding options configures Management Events to set All type of Read/Writes by default.


Impact: S3 lifecycle features can be used to manage the accumulation and management of logs over time. See the following AWS resource for more information on these features: 

    1. http://docs.aws.amazon.com/AmazonS3/latest/dev/object-lifecycle-mgmt.html

Default Value: Not Enabled


References: 

1. CCE-78913-1 

2. CIS CSC v6.0 #14.6 

3. https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrailconcepts.html#cloudtrail-concepts-management-events 

4. https://docs.aws.amazon.com/awscloudtrail/latest/userguide/loggingmanagement-and-data-events-withcloudtrail.html?icmpid=docs_cloudtrail_console#logging-management-events 

5. https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrailsupported-services.html#cloud-trail-supported-services-data-events 


CIS Controls:

6.2 Activate audit logging 

Ensure that local logging has been enabled on all systems and networking devices.