Profile Applicability

  • Level 1

Description:

AWS CloudTrail is a service that captures and logs API calls made on your AWS account, providing a detailed audit trail of actions performed in the AWS environment. Enabling CloudTrail in all regions ensures that logs for API calls in every AWS region are captured and stored, allowing for consistent monitoring of activities across the entire AWS environment.

It is important to enable CloudTrail in all regions to ensure comprehensive logging for auditing, security monitoring, and compliance. This also helps identify any activities or configuration changes in regions where resources might have been deployed but not previously monitored.

Rationale:

Enabling CloudTrail in all regions ensures:

  • Complete visibility into the activity across all AWS regions, regardless of where the resources are deployed.

  • Centralized logging for easier auditing and compliance with security regulations (e.g., HIPAA, SOC 2, PCI DSS).

  • Early detection of unauthorized or suspicious activity occurring in regions not monitored by default.

If CloudTrail is not enabled in all regions, some activities and changes in AWS services might go unnoticed, which could result in missed security incidents or compliance violations.

Impact:

Failure to enable CloudTrail in all regions can result in:

  • Incomplete monitoring of AWS account activity, leaving some regions untracked.

  • Inability to detect unauthorized access or misconfigurations in unmonitored regions.

  • Non-compliance with security and regulatory standards that require comprehensive logging across all regions.

Enabling CloudTrail in all regions ensures full visibility and helps with compliance, making it easier to track and audit activity in your AWS environment.

Default Value:

By default, CloudTrail is not enabled in all regions. CloudTrail must be explicitly configured to log events in each region to ensure comprehensive monitoring.

Pre-Requisites:

  • AWS CLI installed and configured

  • IAM permissions:

    • cloudtrail:DescribeTrails

    • cloudtrail:UpdateTrail

  • AWS CloudTrail service should be enabled and configured to deliver logs to an S3 bucket

Remediation:

Test Plan:

Using AWS Console:

  1. Go to the CloudTrail Console.

  2. Check if CloudTrail is enabled in all regions.

    • In the CloudTrail Console, navigate to the Trails section and confirm that a trail is configured to log events in all regions.

  3. Verify that the logs are being stored in an S3 bucket and that the S3 bucket is accessible and configured correctly for log storage.

Using AWS CLI:

aws cloudtrail describe-trails --query "TrailList[?IsMultiRegionTrail==`true`].{TrailName:Name, Region:HomeRegion}" --output table

To verify that CloudTrail is logging across all regions:

aws cloudtrail get-event-selectors --trail-name <trail-name> --output table
Implementation Plan:

Using AWS Console:

  1. Enable CloudTrail in all regions:

    • Go to the CloudTrail Console.

    • Select the trail you want to configure.

    • In the Trail Settings, ensure that the Multi-region trail option is selected to log events in all AWS regions.

    • Save the configuration and verify that the trail is logging events across all regions.

  2. Verify log delivery to S3:

    • Go to the S3 Console.

    • Confirm that CloudTrail logs are being stored in the configured S3 bucket.

Using AWS CLI:

  1. Enable CloudTrail in all regions:

aws cloudtrail update-trail --name <trail-name> --is-multi-region-trail

  1. Verify CloudTrail logging in all regions:

aws cloudtrail describe-trails --query "TrailList[?IsMultiRegionTrail==`true`].{TrailName:Name, Region:HomeRegion}" --output table

Backout Plan:

Using AWS Console:

  1. If enabling CloudTrail in all regions creates excessive logging or performance issues:

    • Go to the CloudTrail Console.

    • Disable multi-region logging by unchecking the Multi-region trail option in the Trail Settings.

    • Alternatively, exclude non-essential regions from logging if there is an overload of data.

  2. Modify the S3 bucket settings to reduce storage space or configure lifecycle policies for log data.

Using AWS CLI:

  1. Temporarily disable multi-region logging:

aws cloudtrail update-trail --name <trail-name> --is-multi-region-trail false

  1. Stop CloudTrail logging if necessary:

aws cloudtrail stop-logging --name <trail-name>

  1. Re-enable CloudTrail logging once issues are resolved:

aws cloudtrail start-logging --name <trail-name>
aws cloudtrail update-trail --name <trail-name> --is-multi-region-trail

References:

CIS Controls Mapping:

CIS Control Version

Control ID

Control Description

CIS v8

4.9

Perform Continuous Security Monitoring and Incident Detection

CIS v7

6.3

Monitor Security Configurations for Compliance

CIS v7

5.2

Securely Manage and Monitor Cloud Accounts and Services