Description:
This policy ensures that the log settings for all Security Users (SUs) are configured to capture all activity. This includes all API calls, console actions, and CloudTrail events. The report of these logs can be used to audit the activity of SUs and to identify any unauthorized or suspicious activity.
Rationale:
SUs have elevated privileges in AWS, so it is important to track their activity carefully. By ensuring that all SU activity is logged, organizations can identify any unauthorized or suspicious activity and take corrective action.
Impact:
Enabling logging for all SU activity will have a small impact on the performance of the AWS account. However, the benefits of being able to audit SU activity outweigh the performance impact.
Default Value:
AWS does not enable logging for all SU activity by default.
Pre-requisites:
- The user must have the appropriate permissions to configure log settings for SUs.
- The user must have access to the AWS Management Console or the AWS CLI.
Remediation Steps:
To disable this policy, the user can follow these steps:
- In the AWS Management Console, navigate to the IAM & Admin page.
- Click on the Users tab.
- Select the SU that you want to disable logging for.
- Click on the Permissions tab.
- Click on the Edit button.
- In the Permissions section, uncheck the box next to Log all API calls and CloudTrail events.
- Click on the Save button.
Test Plan:
To test this policy, the user can follow these steps:
- Enable the policy.
- Make a change to an AWS resource using the console or CLI.
- Verify that the change is logged in the CloudTrail logs.
Implementation Plan:
To implement this policy, the user can follow these steps:
- Enable the policy.
- Configure the log settings for all SUs to capture all activity.
AWS CLI Process:
To enable this policy using the AWS CLI, the user can run the following command:
aws iam update-user --user-name <username> --permissions-boundary <permissions-boundary-arn>
The permissions-boundary-arn
is the ARN of the permissions boundary that you want to use to constrain the SU's permissions.
Using AWS GUI:
To enable this policy using the AWS GUI, the user can follow these steps:
- In the AWS Management Console, navigate to the IAM & Admin page.
- Click on the Users tab.
- Select the SU that you want to enable logging for.
- Click on the Permissions tab.
- Click on the Add Permissions Boundary button.
- Enter the ARN of the permissions boundary that you want to use.
- Click on the Add button.
Backout Plan:
To revoke this policy, the user can follow these steps:
- In the AWS Management Console, navigate to the IAM & Admin page.
- Click on the Users tab.
- Select the SU that you want to revoke logging for.
- Click on the Permissions tab.
- Click on the Edit button.
- In the Permissions section, uncheck the box next to Log all API calls and CloudTrail events.
- Click on the Save button.
Note:
- This policy is not required for all AWS environments.
- The user should test the policy to ensure that it is working as expected.
- The user should revoke this policy if it is no longer needed.
Reference:
- AWS IAM Policy Reference: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html
- AWS CLI Command Reference: https://docs.aws.amazon.com/cli/latest/reference/iam/
Section 2:
- Tags: SU, log, activity, report, audit
- Keywords: IAM, policy, audit, compliance