Profile Applicability:

  • Level 1


Description:

This control ensures that AWS CloudTrail log data is monitored for any configuration changes made to CloudTrail itself. A CloudWatch metric filter and alarm must be created to detect and alert on such events. Monitoring CloudTrail configuration changes helps maintain the integrity of audit logging and ensures continuous visibility into account activity.


Rationale:

CloudTrail provides critical audit logs for all account activities. Unauthorized modification or deletion of CloudTrail trails can result in loss of audit data, hindering the ability to detect and investigate security incidents. By monitoring for configuration changes, organizations can promptly detect attempts to disable or alter CloudTrail, ensuring continuous compliance and accountability.


Impact:

  • Positive Impact: Ensures the integrity and continuity of audit logging. Provides immediate visibility into unauthorized attempts to modify CloudTrail settings. Enhances compliance readiness by maintaining complete audit records.
  • Negative Impact: Minimal increase in CloudWatch costs for log processing and metric storage.


Default Value:

By default, AWS does not provide a metric filter or alarm for CloudTrail configuration changes. Manual configuration is required.


Pre-Requisite:

  • CloudTrail must be enabled in all regions.
  • CloudTrail logs must be delivered to a CloudWatch Logs group.
  • IAM permissions required: logs:PutMetricFilter, cloudwatch:PutMetricAlarm, and cloudwatch:DescribeAlarms.


Remediation

Test Plan

Using AWS Console:

  1. Sign in to the AWS Management Console.
  2. Navigate to CloudWatch → Logs → Log groups.
  3. Locate the CloudTrail log group (typically named /aws/cloudtrail/...).
  4. Select Create metric filter.
  5. Enter the following filter pattern to detect CloudTrail configuration changes:
  6. Assign a metric name such as CloudTrailConfigChanges.
  7. Go to CloudWatch → Alarms → Create alarm.
  8. Create an alarm for the CloudTrailConfigChanges metric.
  9. Set a threshold (e.g., >= 1 occurrence within 5 minutes) and configure SNS notifications to alert the security team.
  10. Save the configuration.

Implementation Plan

Using AWS Console:

  1. Go to CloudWatch → Logs → Log groups.
  2. Open the CloudTrail log group.
  3. Choose Create metric filter .
  4. Set Metric Name: CloudTrailConfigChanges.
  5. Create an Alarm:
    • Metric: CloudTrailConfigChanges
    • Namespace: CISBenchmark
    • Condition: ≥ 1 in 5 minutes
    • Actions: Send notification to security team via SNS topic (e.g., aws-security-alerts)
  6. Save all changes.

Backout Plan

Using AWS Console:

  1. Go to CloudWatch → Alarms.

  2. Select the CloudTrailConfigChangesAlarm.

  3. Choose Actions → Delete.

  4. Go to Logs → Metric Filters.

  5. Delete the CloudTrailConfigChanges filter.


References: