Profile Applicability:

  • Level 1

Description:

AWS CloudTrail Insights is a feature that automatically detects unusual API activity in your AWS environment and provides a detailed view of the activity in your CloudTrail logs. Insights help identify potential security risks, operational issues, or misconfigurations by highlighting anomalies in API call patterns.

Enabling CloudTrail Insights ensures that any unexpected or abnormal activity in your AWS environment is logged, making it easier to detect issues such as unauthorized access attempts or misconfigured resources that could lead to security vulnerabilities.

Rationale:

CloudTrail Insights helps improve the security posture of your AWS environment by:

  • Anomaly Detection: Automatically detecting unusual activity or behavior within the AWS account, such as unexpected spikes in API calls, which could indicate potential threats like privilege escalation, unauthorized access, or denial of service attempts.

  • Real-time Insights: Gathers critical information and alerts security teams about abnormal activities in near real-time, allowing quick responses.

  • Improved Audit Trail: Enhances auditing and investigation capabilities by providing additional context for unusual API activity, which could be crucial for incident response and compliance audits.

Impact:

Pros:

  • Enhanced Security: Helps detect malicious activities or configuration mistakes by analyzing API call patterns.

  • Proactive Incident Detection: Allows security teams to be alerted to unusual activity, which can be investigated further.

  • Improved Compliance: Helps meet regulatory requirements for monitoring and responding to abnormal activities in the environment.

Cons:

  • Cost: Enabling CloudTrail Insights may incur additional charges for the extra data generated from logging and analysis of API activity.

  • False Positives: There is a possibility of receiving alerts for non-threatening anomalies, which might require additional tuning to minimize unnecessary alerts.

Default Value:

By default, CloudTrail Insights is disabled on new and existing trails. It must be manually enabled to start capturing and analyzing insights for unusual API activity.

Pre-requisite:

  • AWS IAM Permissions:

    • cloudtrail:CreateTrail

    • cloudtrail:DescribeTrails

    • cloudtrail:UpdateTrail

    • cloudtrail:StartLogging

    • cloudtrail:GetInsightSelectors

  • AWS CLI installed and configured.

  • Basic knowledge of CloudTrail configuration and insight functionality.

Remediation:

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to CloudTrail under Services.

  3. In the CloudTrail Dashboard, go to the Trails section.

  4. Select the trail to review or create a new trail.

  5. In the Trail Details, scroll to the CloudTrail Insights section:

    • If Insights is enabled, you will see "Insights enabled" as an option.

    • If Insights is disabled, you will see an option to enable it.

  6. Ensure that CloudTrail Insights is enabled to capture unusual activity.

Using AWS CLI:

To check the status of CloudTrail Insights, run:

aws cloudtrail describe-trails --query 'trailList[*].InsightSelectors'

The output will show if InsightSelectors are enabled for your trails. If the InsightSelectors attribute is null or empty, Insights are not enabled.

  • Example output:

    [

  {

    "InsightSelectors": [

      {

        "InsightType": "ApiCallRateInsight"

      }

    ]

  }

]


If CloudTrail Insights is not enabled, enable it using the CLI by running:

aws cloudtrail update-trail --name <trail-name> --insight-selectors '[{"InsightType":"ApiCallRateInsight"}]'

Verify that Insights have been successfully enabled by checking the status again:

aws cloudtrail describe-trails --query 'trailList[*].InsightSelectors'

Implementation Steps:

Using AWS Console:

  1. Sign in to the AWS Management Console and navigate to CloudTrail.

  2. Under Trails, select the trail you want to enable Insights for.

  3. In the Trail Settings, under CloudTrail Insights, toggle the Enable option.

  4. Save the configuration and ensure that the trail is active for Insights.

  5. Ensure that CloudTrail Insights is configured for your AWS environment to capture unexpected activity.

Using AWS CLI:

To enable CloudTrail Insights via the CLI, run the following command:

aws cloudtrail update-trail --name <trail-name> --insight-selectors '[{"InsightType":"ApiCallRateInsight"}]'

Verify that CloudTrail Insights is enabled by checking the status:

aws cloudtrail describe-trails --query 'trailList[*].InsightSelectors'

The output should confirm that the InsightSelectors are set, and the trail is capturing unusual activity.

Backout Plan:

If enabling CloudTrail Insights causes issues (e.g., unwanted alerts or high data costs):

Identify the trail for which Insights was enabled.

To disable CloudTrail Insights, run:

aws cloudtrail update-trail --name <trail-name> --insight-selectors '[]'

Verify that CloudTrail Insights is no longer enabled:

aws cloudtrail describe-trails --query 'trailList[*].InsightSelectors'

Note :

  • Cost Considerations: Enabling CloudTrail Insights may incur additional charges depending on the volume of data analyzed. Review the AWS pricing documentation to understand the cost structure.

  • Alerting: Set up CloudWatch Alarms to notify you when certain CloudTrail Insight events are triggered, helping to take immediate action on detected anomalies.

References:

CIS Controls Mapping:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

3.4

Encrypt Data on End-User Devices – Ensure data encryption during file system access.

v8

6.7

Implement Application Layer Filtering and Content Control – Ensure appropriate content filtering is applied to sensitive files.

v8

6.8

Define and Maintain Role-Based Access Control – Implement and manage role-based access for file systems.

v8

14.6

Protect Information Through Access Control Lists – Apply strict access control to file systems.