Profile Applicability:

  • Level 1

Description:

AWS CloudTrail is a service that records API calls made on your AWS account, enabling you to monitor and retain account activity related to actions taken within AWS resources. By default, CloudTrail logs management events only for the region where the trail is created. However, it is a best practice to enable CloudTrail to log management events in all regions to ensure that you have a comprehensive view of API activity across your entire AWS environment.

This SOP ensures that CloudTrail logs management events across all AWS regions, providing a complete audit trail for all activity, regardless of the region in which it occurs.

Rationale:

Logging management events in all regions is essential for:

  • Comprehensive Audit Trail: Ensures that all API activities, regardless of which AWS region they occur in, are logged, allowing for a complete view of all user actions in your AWS account.

  • Security and Monitoring: Provides the necessary logging and auditing for security monitoring, incident response, and compliance audits.

  • Compliance: Meets regulatory and security requirements that mandate full visibility into all actions performed in the environment, such as SOC 2, PCI-DSS, and HIPAA.

Impact:

Pros:

  • Complete Visibility: Ensures that all actions are captured, making it easier to detect unauthorized actions, misconfigurations, or malicious activities.

  • Improved Security Posture: Enhances your ability to respond to security incidents by providing a full record of API activity.

  • Regulatory Compliance: Helps meet the requirements for comprehensive logging and monitoring for compliance audits.

Cons:

  • Cost: Enabling logging for all regions may increase the volume of logs generated, potentially leading to higher costs for storage and management.

  • Management Overhead: Requires continuous management and monitoring to ensure that logging configurations remain up-to-date and relevant.

Default Value:

By default, CloudTrail logs management events only in the region where the trail is created. To log events in all regions, you must manually enable this setting.

Pre-requisite:

  • AWS IAM Permissions:

    • cloudtrail:DescribeTrails

    • cloudtrail:UpdateTrail

    • cloudtrail:StartLogging

    • cloudtrail:GetTrailStatus

  • AWS CLI installed and configured.

  • Knowledge of CloudTrail configuration and AWS regional services.

Remediation:

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to CloudTrail under Services.

  3. In the CloudTrail Dashboard, go to Trails and select the trail you wish to verify.

  4. In the Trail Settings section, look for the Apply trail to all regions setting:

    • If it is enabled, CloudTrail is logging events in all regions.

    • If it is disabled, you will need to enable it to ensure events are logged across all regions.

  5. Ensure that Management events are enabled in the trail configuration to capture all management API actions (e.g., CreateDeleteDescribe actions).

Using AWS CLI:

To check if CloudTrail is logging management events in all regions, run:

aws cloudtrail describe-trails --query 'trailList[*].HomeRegion'

This command will list all regions where your CloudTrail trail is applied. Ensure that all regions are listed. If any region is missing, enable it.

To verify if management events are being logged, run:

aws cloudtrail describe-trails --query 'trailList[*].TrailARN'

The trail ARN will indicate which regions are enabled for logging. If management events are not enabled in certain regions, update the trail to log these events.

Implementation Steps:

Using AWS Console:

  1. Sign in to the AWS Management Console and navigate to CloudTrail.

  2. Go to Trails and select the trail to update.

  3. Under Trail Settings, enable Apply trail to all regions.

  4. Under Management events, ensure that Read/Write events are enabled to capture API calls.

  5. Save the changes and confirm that the trail is now logging in all regions.

Using AWS CLI:

To enable CloudTrail to log in all regions and capture management events, run:

aws cloudtrail update-trail --name <trail-name> --is-multi-region-trail true --include-management-events

Verify that the setting has been applied by describing the trail

aws cloudtrail describe-trails --query 'trailList[*].IsMultiRegionTrail'

The output should show true for IsMultiRegionTrail, indicating that the trail is logging in all regions.

Backout Plan:

If enabling CloudTrail logging in all regions causes issues (e.g., unexpected data volume or cost increases):

Identify the affected CloudTrail trail.

To revert the change and disable logging in all regions, run:

aws cloudtrail update-trail --name <trail-name> --is-multi-region-trail false

Verify that the trail is no longer applied to all regions by running:

aws cloudtrail describe-trails --query 'trailList[*].IsMultiRegionTrail'

The output should show false for IsMultiRegionTrail, indicating that the trail is no longer logging events across all regions.


Note:

  • Cost Monitoring: Enabling CloudTrail logs for all regions could generate a large volume of logs. It’s important to monitor the associated costs and configure log retention policies accordingly.

  • CloudWatch Alarms: You can configure CloudWatch Alarms to monitor and alert you when unusual or unauthorized activities are detected in CloudTrail logs.

References:

CIS Controls Mapping:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

3.4

Encrypt Data on End-User Devices – Ensure data encryption during file system access.

v8

6.7

Implement Application Layer Filtering and Content Control – Ensure appropriate content filtering is applied to sensitive files.

v8

6.8

Define and Maintain Role-Based Access Control – Implement and manage role-based access for file systems.

v8

14.6

Protect Information Through Access Control Lists – Apply strict access control to file systems.