Profile Applicability

  • Level 1

Description:

AWS CloudTrail is a service that enables governance, compliance, and operational and risk auditing by recording API calls made on your AWS account. Monitoring CloudTrail configuration changes ensures that modifications to CloudTrail settings (such as enabling, disabling, or modifying trails) are tracked to prevent unauthorized alterations to the logging configuration.

Ensuring that CloudTrail configuration changes are monitored helps maintain the integrity of audit trails and prevents tampering with the logging mechanism that captures all AWS account activity.

Rationale:

Changes to CloudTrail configuration, such as disabling trails or modifying logging settings, can lead to a lack of visibility into the actions performed on your AWS resources. Without monitoring, these changes could:

  • Prevent critical API activities from being logged.

  • Allow for evasion of auditing and monitoring, creating a security vulnerability.

  • Lead to non-compliance with security standards or regulatory requirements.

Monitoring these configuration changes ensures that all modifications are legitimate and authorized, helping to preserve audit integrity.

Impact:

Failure to monitor CloudTrail configuration changes could result in:

  • Loss of visibility into important account activities.

  • Inability to detect unauthorized actions or suspicious activities.

  • Non-compliance with security and regulatory requirements.

Monitoring CloudTrail configuration changes ensures continuous logging of all API calls and proper audit trail integrity.

Default Value:

By default, CloudTrail is not configured to automatically monitor changes to its configuration settings. These changes must be tracked using CloudTrail itself or AWS Config.

Pre-Requisites:

  • AWS CLI installed and configured

  • IAM permissions:

    • cloudtrail:DescribeTrails

    • cloudtrail:LookupEvents

    • config:DescribeConfigurationRecorder

  • CloudTrail and AWS Config enabled in all AWS regions for monitoring configuration changes

Remediation:

Test Plan:

Using AWS Console:

  1. Go to the CloudTrail Console.

  2. Verify that CloudTrail is enabled and configured to log all management events, including changes to CloudTrail configuration.

  3. Go to the AWS Config Console and confirm that the Configuration Recorder is active for CloudTrail configurations.

  4. Review CloudTrail logs to ensure that changes to CloudTrail configuration (e.g., enabling or disabling trails) are being captured.

Using AWS CLI:

aws cloudtrail describe-trails --query "trailList[?Name=='<trail-name>'].{Name:Name, S3BucketName:S3BucketName}" --output table

To verify AWS Config is tracking CloudTrail configuration changes:

aws configservice describe-configuration-recorders --query "ConfigurationRecorders[?recordingGroup.allSupported==`true`].{Name:name, RecordingGroup:recordingGroup}" --output table
Implementation Plan:

Using AWS Console:

  1. Ensure CloudTrail is logging configuration changes:

    • Go to the CloudTrail Console.

    • Ensure Management Events are enabled, specifically for configuration changes such as enabling or disabling trails.

    • Ensure that logs are stored in an S3 bucket for long-term access and retention.

  2. Enable AWS Config to monitor CloudTrail configuration changes:

    • In the AWS Config Console, enable the Configuration Recorder.

    • Ensure that CloudTrail configuration changes are included in the configuration recording.

Using AWS CLI:

  1. Verify CloudTrail is logging configuration changes:

aws cloudtrail describe-trails --query "trailList[?Name=='<trail-name>'].{Name:Name, S3BucketName:S3BucketName}" --output table

  1. Enable AWS Config to track CloudTrail configuration:

aws configservice record-configuration-changes --configuration-recorder-name <recorder-name> --include-configuration-item-types "AWS::CloudTrail::Trail"

Backout Plan:

Using AWS Console:

  1. If monitoring CloudTrail configuration changes creates excessive logging or performance issues:

    • Go to the CloudTrail Console.

    • Modify Management Events settings to log fewer events or exclude certain types of changes.

    • Alternatively, turn off specific logging for non-critical configuration changes.

  2. Modify AWS Config settings to exclude CloudTrail configurations from being tracked if they create performance issues or excessive resource usage.

Using AWS CLI:

  1. Temporarily disable CloudWatch alarms or CloudTrail logging for configuration changes:

aws cloudtrail update-trail --name <trail-name> --no-log-management-events

  1. Stop AWS Config recording CloudTrail configurations:

aws configservice stop-configuration-recorder --configuration-recorder-name <recorder-name>

  1. Re-enable monitoring once issues are resolved:

aws cloudtrail update-trail --name <trail-name> --log-management-events
aws configservice start-configuration-recorder --configuration-recorder-name <recorder-name>

References:

CIS Controls Mapping:

CIS Control Version

Control ID

Control Description

CIS v8

4.9

Perform Continuous Security Monitoring and Incident Detection

CIS v7

6.3

Monitor Security Configurations for Compliance

CIS v7

5.2

Securely Manage and Monitor Cloud Accounts and Services