Profile Applicability:
Level 1
Description:
AWS CloudTrail logs all API activity within an AWS account. Monitoring changes to CloudTrail configuration ensures that log collection remains active and tamper-proof.
This control sets up CloudWatch Alarms and SNS notifications to alert security teams when changes occur, such as:
Creation of a new CloudTrail (CreateTrail)
Modification of an existing CloudTrail (UpdateTrail)
Deletion of a CloudTrail (DeleteTrail)
Stopping CloudTrail logging (StopLogging)
Starting CloudTrail logging (StartLogging)
Rationale:
CloudTrail logs are crucial for forensic investigations and security monitoring.
By monitoring for changes, organizations can:
Detect unauthorized tampering with log settings.
Ensure audit logs remain intact for compliance (SOC 2, HIPAA, PCI DSS).
Prevent accidental or malicious disabling of CloudTrail logging.
Impact:
Proactively detects log tampering and security risks.
Requires additional CloudWatch and SNS configuration.
May generate noise if frequent trail updates occur (filtering recommended).
Default Value:
AWS does not alert by default on CloudTrail configuration changes.
CloudTrail logs these events, but organizations must configure CloudWatch Alarms and SNS notifications.
Pre-Requisites:
AWS CloudTrail enabled with multi-region logging.
CloudWatch Logs enabled and integrated with CloudTrail.
IAM Permissions Required:
cloudtrail:DescribeTrails
cloudtrail:GetEventSelectors
logs:DescribeMetricFilters
cloudwatch:DescribeAlarms
sns:ListSubscriptionsByTopic
logs:PutMetricFilter, cloudwatch:PutMetricAlarm, sns:CreateTopic
Remediation:
Test Plan:
Using AWS Console
Login to the AWS Management Console.
Navigate to CloudTrail: AWS CloudTrail Console.
Verify there is at least one active multi-region CloudTrail trail.
Check that CloudTrail logs are sent to CloudWatch Logs.
Navigate to CloudWatch Logs: AWS CloudWatch Console.
Ensure that a metric filter is created for CloudTrail configuration changes.
Check CloudWatch Alarms for alerts on CloudTrail configuration changes.
Implementation Steps:
Using AWS CLI
Step 1: Create a Metric Filter for CloudTrail Configuration Changes
aws logs put-metric-filter --log-group-name <trail-log-group-name> \ --filter-name cloudtrail-cfg-changes-metric \ --metric-transformations metricName=cloudtrail-cfg-changes-metric,metricNamespace="CISBenchmark",metricValue=1 \ --filter-pattern '{ ($.eventName = CreateTrail) || ($.eventName = UpdateTrail) || ($.eventName = DeleteTrail) || ($.eventName = StartLogging) || ($.eventName = StopLogging) }'
Step 2: Create an SNS Topic for Notifications
aws sns create-topic --name cloudtrail-cfg-changes-alerts
Step 3: Subscribe to SNS Topic
aws sns subscribe --topic-arn <sns-topic-arn> --protocol email --notification-endpoint <your-email@example.com>
Step 4: Create a CloudWatch Alarm for CloudTrail Configuration Changes
aws cloudwatch put-metric-alarm --alarm-name cloudtrail-cfg-changes-alarm \ --metric-name cloudtrail-cfg-changes-metric --statistic Sum --period 300 \ --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold \ --evaluation-periods 1 --namespace "CISBenchmark" --alarm-actions <sns-topic-arn>
Backout Plan:
Delete CloudWatch Alarm:
aws cloudwatch delete-alarms --alarm-names cloudtrail-cfg-changes-alarm
Remove the metric filter:
aws logs delete-metric-filter --log-group-name <trail-log-group-name> --filter-name cloudtrail-cfg-changes-metric
Delete SNS topic:
aws sns delete-topic --topic-arn <sns-topic-arn>