Profile Applicability:

  • Level 2

Description:

IAM (Identity and Access Management) is a service in AWS that enables you to manage access to AWS resources securely. AWS CloudTrail is a service that records AWS API calls for your account, providing an audit trail of activity. IAM policies define the permissions for accessing AWS resources. Granting "cloudtrail:*" (full access to all CloudTrail actions) in an IAM policy can give users or roles unrestricted access to view, modify, and delete CloudTrail data, which is a critical part of your security and audit trail.

Rationale:

Allowing full "cloudtrail:*" privileges can lead to serious security risks, such as unauthorized access to audit logs or the ability to delete logs, making it difficult to trace malicious activity or investigate incidents. It is crucial to restrict access to CloudTrail logs and configurations to only those with a legitimate need. This ensures compliance with the principle of least privilege and prevents accidental or malicious tampering with CloudTrail data.

Impact:

Granting "cloudtrail:*" privileges can:

  • Lead to potential unauthorized access or tampering with CloudTrail logs, hindering investigations.

  • Expose sensitive audit trail data to unauthorized users, risking security breaches or compliance violations.

  • Compromise the integrity of logging and auditing processes critical for security monitoring.

  • Violate security best practices and regulatory compliance frameworks like SOC 2, ISO 27001, and NIST.

Default Value:

By default, IAM policies do not grant full "cloudtrail:*" access. However, it is possible for administrators or other users to accidentally create policies that provide excessive access to CloudTrail. Proper governance and review procedures should be implemented to prevent this.

Pre-requisites:

  • Access to AWS Management Console or AWS CLI with sufficient IAM permissions.

  • Familiarity with IAM policies and CloudTrail actions.

  • Understanding of the principle of least privilege and security best practices.

Remediation:

Test Plan:

Using AWS Console:

  1. Login in to the AWS Management Console.

  2. Navigate to Amazon IAM console : AWS IAM Console

  3. Navigate to IAM > Policies in the AWS Management Console.

  4. Search for customer-managed policies that may contain "cloudtrail:*" actions.

  5. Open each policy and review its permissions in the visual editor or JSON format.

  6. Identify any policies that grant full "cloudtrail:*" permissions.

  7. If such policies are found, evaluate whether they are necessary and adjust the permissions to follow the least privilege principle.

Using AWS CLI:

  1. List all IAM policies using the following command:
    aws iam list-policies --scope Local

  2. Retrieve the details of each policy to check for "cloudtrail:*" permissions:
    aws iam get-policy-version --policy-arn <policy-arn> --version-id <version-id>

  3. Review the policy statements for any "cloudtrail:*" permissions.

  4. If any policies with "cloudtrail:*" permissions are found, evaluate if they are required, and modify or delete them.


Implementation Plan:

Using AWS Console:

  1. Login in to the AWS Management Console.

  2. Navigate to Policies in Amazon IAM console : AWS IAM Console.

  1. Review customer-managed policies for any that contain "cloudtrail:*" permissions.

  1. If a policy grants full "cloudtrail:*" Access, we can delete the policy.

  2. Detach any overly permissive policies from users, roles, or groups, and document the changes for auditing purposes.

Using AWS CLI:

  1. Use the command to identify all IAM policies

    aws iam list-policies

  2. For each policy, use to retrieve the policy document.

    aws iam get-policy-version

  3. Check for "cloudtrail:*" actions in the policy statements.

  4. If such policies are found, detach them using the following command:

    aws iam detach-user-policy --user-name <USER_NAME> --policy-arn <POLICY_ARN>
aws iam detach-role-policy --role-name <ROLE_NAME> --policy-arn <POLICY_ARN>
aws iam detach-group-policy --group-name <GROUP_NAME> --policy-arn <POLICY_ARN>

  1. Modify the policy to restrict CloudTrail access as necessary, and reattach the revised policy if required.

Backout Plan:

Using AWS Console:

  1. If disabling or modifying the *cloudtrail: policy causes issues, sign in to the AWS Management Console.

  2. Re-attach the CloudTrailFullAccess policy if necessary, but ensure that the policy only provides the minimum required access.

Using AWS CLI:

  1. To re-attach an overly permissive CloudTrail policy, run:

    aws iam attach-user-policy --user-name <USER_NAME> --policy-arn arn:aws:iam::aws:policy/CloudTrailFullAccess

  2. Verify that the CloudTrailFullAccess policy has been reattached:

    aws iam list-attached-user-policies --user-name <USER_NAME>

Reference:

CIS Controls:

Version

Control ID

Control Description

7.1

3.1

Ensure IAM policies do not grant full cloudtrail:* privileges unless absolutely necessary, in order to protect sensitive logging data.

7.1

8.1

Review and restrict CloudTrail permissions to only those necessary for users to perform their tasks, following the least privilege principle.