Profile Applicability:

Level 1

Description:

AWS CloudTrail logs all API activity within an AWS account. Monitoring changes to CloudTrail configuration ensures that log collection remains active and tamper-proof.
This control sets up CloudWatch Alarms and SNS notifications to alert security teams when changes occur, such as:

  • Creation of a new CloudTrail (CreateTrail)

  • Modification of an existing CloudTrail (UpdateTrail)

  • Deletion of a CloudTrail (DeleteTrail)

  • Stopping CloudTrail logging (StopLogging)

  • Starting CloudTrail logging (StartLogging)

Rationale:

CloudTrail logs are crucial for forensic investigations and security monitoring.
By monitoring for changes, organizations can:

  • Detect unauthorized tampering with log settings.

  • Ensure audit logs remain intact for compliance (SOC 2, HIPAA, PCI DSS).

  • Prevent accidental or malicious disabling of CloudTrail logging.

Impact:

  • Proactively detects log tampering and security risks.

  • Requires additional CloudWatch and SNS configuration.

  • May generate noise if frequent trail updates occur (filtering recommended).

Default Value:

  • AWS does not alert by default on CloudTrail configuration changes.

  • CloudTrail logs these events, but organizations must configure CloudWatch Alarms and SNS notifications.

Pre-Requisites:

  1. AWS CloudTrail enabled with multi-region logging.

  2. CloudWatch Logs enabled and integrated with CloudTrail.

  3. IAM Permissions Required:

    • cloudtrail:DescribeTrails

    • cloudtrail:GetEventSelectors

    • logs:DescribeMetricFilters

    • cloudwatch:DescribeAlarms

    • sns:ListSubscriptionsByTopic

    • logs:PutMetricFilter, cloudwatch:PutMetricAlarm, sns:CreateTopic

Remediation:

Test Plan:

Using AWS Console

  1. Login to the AWS Management Console.

  2. Navigate to CloudTrail: AWS CloudTrail Console.



  3. Verify there is at least one active multi-region CloudTrail trail.

  4. Check that CloudTrail logs are sent to CloudWatch Logs.

  5. Navigate to CloudWatch Logs: AWS CloudWatch Console.



  6. Ensure that a metric filter is created for CloudTrail configuration changes.

  7. Check CloudWatch Alarms for alerts on CloudTrail configuration changes.

Implementation Steps:
Using AWS CLI

Step 1: Create a Metric Filter for CloudTrail Configuration Changes

aws logs put-metric-filter --log-group-name <trail-log-group-name> \
--filter-name cloudtrail-cfg-changes-metric \
--metric-transformations metricName=cloudtrail-cfg-changes-metric,metricNamespace="CISBenchmark",metricValue=1 \
--filter-pattern '{ ($.eventName = CreateTrail) || ($.eventName = UpdateTrail) || ($.eventName = DeleteTrail) || ($.eventName = StartLogging) || ($.eventName = StopLogging) }'

Step 2: Create an SNS Topic for Notifications

aws sns create-topic --name cloudtrail-cfg-changes-alerts

Step 3: Subscribe to SNS Topic

aws sns subscribe --topic-arn <sns-topic-arn> --protocol email --notification-endpoint <[email protected]>

Step 4: Create a CloudWatch Alarm for CloudTrail Configuration Changes

aws cloudwatch put-metric-alarm --alarm-name cloudtrail-cfg-changes-alarm \
--metric-name cloudtrail-cfg-changes-metric --statistic Sum --period 300 \
--threshold 1 --comparison-operator GreaterThanOrEqualToThreshold \
--evaluation-periods 1 --namespace "CISBenchmark" --alarm-actions <sns-topic-arn>

Backout Plan:

  1. Delete CloudWatch Alarm:

    aws cloudwatch delete-alarms --alarm-names cloudtrail-cfg-changes-alarm

  2. Remove the metric filter:

    aws logs delete-metric-filter --log-group-name <trail-log-group-name> --filter-name cloudtrail-cfg-changes-metric

  3. Delete SNS topic:

    aws sns delete-topic --topic-arn <sns-topic-arn>

References:

CIS Controls Mapping:

CIS Control Version

Control ID

Control Description

CIS v8

8.5

Collect detailed audit logs for security monitoring.

CIS v8

8.11

Conduct audit log reviews to detect anomalies.

CIS v7

6.3

Enable detailed logging for security monitoring.

CIS v7

4.9

Log and alert on CloudTrail configuration changes.