ACCT.07 – Deliver CloudTrail logs to a protected S3 bucket - AWS Prescriptive Guidance

ACCT.07 – Deliver CloudTrail logs to a protected S3 bucket

Actions taken by users, roles, and services in your AWS account are recorded as events in AWS CloudTrail. CloudTrail is enabled by default, and in the CloudTrail console, you can access 90 days of event history information. To view, search, download, archive, analyze, and respond to account activity across your AWS infrastructure, see Viewing events with CloudTrail Event history (CloudTrail documentation).

To retain CloudTrail history beyond 90 days with additional data, you create a new trail that delivers log files to an Amazon Simple Storage Service (Amazon S3) bucket for all event types. When you create a trail in the CloudTrail console, you create a multi-region trail.

To create a trail that delivers logs for all AWS Regions to an S3 bucket
  1. Create a trail (CloudTrail documentation). On the Choose log events page, do the following:

    1. For API activity, choose both Read and Write.

    2. For preproduction environments, choose Exclude AWS KMS events. This excludes all AWS Key Management Service (AWS KMS) events from your trail. AWS KMS read actions such as Encrypt, Decrypt, and GenerateDataKey can generate a large volume of events.

      For production environments, choose to log Write management events, and clear the check box for Exclude AWS KMS events. This excludes high-volume AWS KMS read events but still logs relevant write events, such as Disable, Delete, and ScheduleKey. These are the minimum recommended AWS KMS logging settings for a production environment.

  2. The new trail appears on the Trails page. In about 15 minutes, CloudTrail publishes log files that show the AWS application programming interface (API) calls made in your account. You can see the log files in the S3 bucket that you specified.

To help secure the S3 buckets where you store CloudTrail log files
  1. Review the Amazon S3 bucket policy (CloudTrail documentation) for any and all buckets where you store log files and adjust it as needed to remove any unnecessary access.

  2. As a security best practice, be sure to manually add an aws:SourceArn condition key to the bucket policy. For more information, see Create or update an Amazon S3 bucket to use to store the log files for an organization trail (CloudTrail documentation).

  3. Enable MFA Delete (Amazon S3 documentation).