Profile Applicability: Level 1


Description: 

AWS CloudTrail is a web service that records AWS API calls for your account and delivers log files to you. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. CloudTrail provides a history of AWS API calls for an account, including API calls made via the Management Console, SDKs, command-line tools, and higher-level AWS services (such as CloudFormation).


Rationale: 

The AWS API call history produced by CloudTrail enables security analysis, resource change tracking, and compliance auditing. Additionally, 

  • Ensuring that a multi-region trail exists will ensure that Global Service Logging is enabled for a trail by default to capture the recording of events generated on AWS global services 
  • For a multi-region trail, ensuring that management events are configured for all types of reading/Writes ensures the recording of management operations that are performed on all resources in an AWS account


Impact: 

AWS CloudTrail increases visibility into your user and resource activity by recording AWS Management Console actions and API calls. You can identify which users and accounts called AWS, the source IP address from which the calls were made, and when the calls occurred.


Default Value: 

By default, cloud trail is not enabled.


Pre-requisite:

  • Must have a CloudTrail 


Remediation:


Test Plan: 

  1. Sign in to the AWS Management Console 

  2. open the CloudTrail console at  https://console.aws.amazon.com/cloudtrail 

  3. Click on Trails on the left navigation pane

  4. Click on CloudTrail which  You want to examine  

  5. Ensure at least one Trail has YES specified in the Multi-region trail column 


Using AWS CLI:

If you notice "IsMultiRegionTrail": true, in the output it means cloud-trail is enabled in all regions.

aws cloudtrail describe-trails


Ensure IsMultiRegionTrail is set to true.

aws cloudtrail get-trail-status --name <trail name shown in describe-trails>

Ensure IsLogging is set to true.

aws cloudtrail get-event-selectors --trail-name  <trail name shown in describe-trails>

Ensure there is at least one Event Selector for a Trail with IncludeManagementEvents set to true and ReadWriteType set to All


Implementation Steps:

  1. CloudTrail Multi-region should be enabled while creating the CloudTrail

  2. There is no possible way to enable CloudTrail multi-region from the console once the Log group is created

  3. However, we can enable CloudTrail multi-region via the CLI

OR

If you want to create a new CloudTrail to enable global (Multi-region) CloudTrail logging: Via the Management Console 


1. Sign in to the AWS Management Console and open the CloudTrail console at  https://console.aws.amazon.com/cloudtrail or search for CloudTrail on the search bar

2. Click on Trails on the left navigation pane.

3. Click Create trail (By default trial will be set to Multi-region).


Step-1

1. Enter a trail name in the Trail name box.



2. Specify an S3 bucket, you can use an existing bucket, or choose a new one.


3. Enable SSE-KMS encryption to encrypt log files, you can use existing CMK or you can create new ones.  

4. Additional settings. You have an option to enable ‘Log File Validation’ to determine whether a log file was modified, deleted, or unchanged after AWS CloudTrail delivered it and also ‘SNS topic’ to get notifications. 

5. Configure CloudWatch Logs to monitor your trail logs and notify you when specific activity occurs. Give the Log Group name and also attach the IAM role to it, you can create a new role or use an existing one. 



6. Click ‘Next 



Step 2

  1. Events, Choose the type of events that you want to log.    



2. Management Events, make sure you allow read, and write activities to log.  

3. Click Next 


Step 3

  1. Review and click Create trail.





AWS CLI Commands

  1. To create a cloud-trail.


aws cloudtrail create-trail --name <trail name> --bucket-name 


<s3_bucket_for_cloudtrail> --is-multi-region-trail 


aws cloudtrail update-trail --name <value> --is-multi-region-trail

Note: Creating CloudTrail via CLI without providing any overriding options configures Management Events to set All types of reading/Writes by default.

 

Backout plan:

  • We can revoke changes only using CLI but not the management console.

CLI Commands


CIS Controls:

6.2 Activate audit logging 

Ensure that local logging has been enabled on all systems and networking devices.