Automatically re-enable AWS CloudTrail by using a custom remediation rule in AWS Config
Created by Manigandan Shri (AWS)
Environment: Production | Technologies: Infrastructure; Operations; Security, identity, compliance | AWS services: Amazon S3; AWS Config; AWS KMS; AWS Identity and Access Management; AWS Systems Manager; AWS CloudTrail |
Summary
Visibility over activity in your Amazon Web Services (AWS) account is an important security and operational best practice. AWS CloudTrail helps you with the governance, compliance, and operational and risk auditing of your account.
To ensure that CloudTrail remains enabled in your account, AWS Config provides the cloudtrail-enabled managed rule. If CloudTrail is turned off, the cloudtrail-enabled rule automatically re-enables it by using automatic remediation.
However, you must make sure that you follow security best practices for CloudTrail if you use automatic remediation. These best practices include enabling CloudTrail in all AWS Regions, logging read and write workloads, enabling insights, and encrypting log files with server-side encryption using AWS Key Management Service (AWS KMS) managed keys (SSE-KMS).
This pattern helps you follow these security best practices by providing a custom remediation action to automatically re-enable CloudTrail in your account.
Important: We recommend using service control policies (SCPs) to prevent any tampering with CloudTrail. For more information about this, see the Prevent tampering with AWS CloudTrail section of How to use AWS Organizations to simplify security at enormous scale
Prerequisites and limitations
Prerequisites
An active AWS account
Permissions to create an AWS Systems Manager Automation runbook
An existing trail for your account
Limitations
This pattern doesn't support the following actions:
Setting an Amazon Simple Storage Service (Amazon S3) prefix key for the storage location
Publishing to an Amazon Simple Notification Service (Amazon SNS) topic
Configuring Amazon CloudWatch Logs to monitor your CloudTrail logs
Architecture
Technology stack
AWS Config
CloudTrail
Systems Manager
Systems Manager Automation
Tools
AWS Config provides a detailed view of the configuration of AWS resources in your account.
AWS CloudTrail helps you enable governance, compliance, and operational and risk auditing of your account.
AWS Key Management Service (AWS KMS) is an encryption and key management service.
AWS Systems Manager helps you view and control your infrastructure on AWS.
AWS Systems Manager Automation simplifies common maintenance and deployment tasks of Amazon Elastic Compute Cloud (Amazon EC2) instances and other AWS resources.
Amazon Simple Storage Service (Amazon S3) is a cloud-based object storage service that helps you store, protect, and retrieve any amount of data.
Code
The cloudtrail-remediation-action.yml file (attached) helps you create a Systems Manager Automation runbook to set up and re-enable CloudTrail using security best practices.
Epics
| Task | Description | Skills required |
|---|---|---|
Create an S3 bucket. | Sign in to the AWS Management Console, open the Amazon S3 console, and then create an S3 bucket to store the CloudTrail logs. For more information, see Create an S3 bucket in the Amazon S3 documentation. | Systems administrator |
Add a bucket policy to allow CloudTrail to deliver log files to the S3 bucket. | CloudTrail must have the required permissions to deliver log files to your S3 bucket. On the Amazon S3 console, choose the S3 bucket that you created earlier and then choose Permissions. Create an S3 bucket policy by using the Amazon S3 bucket policy for CloudTrail from the CloudTrail documentation. For steps on how to add a policy to an S3 bucket, see Adding a bucket policy using the Amazon S3 console in the Amazon S3 documentation. Important: If you specified a prefix when you created your trail in CloudTrail, make sure that you include it in the S3 bucket policy. The prefix is an optional addition to the S3 object key that creates a folder-like organization in your S3 bucket. For more information about this, see Creating a trail in the CloudTrail documentation. | Systems administrator |
Create a KMS key. | Create an AWS KMS key for CloudTrail to encrypt objects before adding them to the S3 bucket. For help with this story, see Encrypting CloudTrail log files with AWS KMS managed keys (SSE-KMS) in the CloudTrail documentation. | Systems administrator |
Add a key policy to the KMS key. | Attach a KMS key policy to allow CloudTrail to use the KMS key. For help with this story, see Encrypting CloudTrail log files with AWS KMS–managed keys (SSE-KMS) in the CloudTrail documentation. Important: CloudTrail doesn’t require | Systems administrator |
Create AssumeRole for Systems Manager runbook | Create an | Systems administrator |
| Task | Description | Skills required |
|---|---|---|
Create the Systems Manager Automation runbook. | Use the | Systems administrator |
Test the runbook. | On the Systems Manager console, test the Systems Manager Automation runbook that you created earlier. For more information about this, see Running a simple automation in the Systems Manager documentation. | Systems administrator |
| Task | Description | Skills required |
|---|---|---|
Add the CloudTrail-enabled rule. | On the AWS Config console, choose Rules and then choose Add rule. On the Add rule page, choose Add custom rule. On the Configure rule page, enter a name and description, and add the | Systems administrator |
Add the automatic remediation action. | From the Actions dropdown list, choose Manage remediation. Choose Auto remediation and then choose the Systems Manager runbook that you created earlier. The following are the required input parameters for CloudTrail:
The following input parameters are set to true by default:
Retain the default values for the Rate Limits parameter and Resource ID parameter. Choose Save. For more information, see Remediating noncompliant AWS resources with AWS Config rules in the AWS Config documentation. | Systems administrator |
Test the automatic remediation rule. | To test the automatic remediation rule, open the CloudTrail console, choose Trails, and then choose the trail. Choose Stop logging to turn off logging for the trail. When you are prompted to confirm, choose Stop logging. CloudTrail stops logging activity for that trail. Follow the instructions from Evaluating your resources in the AWS Config documentation to make sure that CloudTrail was automatically re-enabled. | Systems administrator |
Related resources
Configure CloudTrail
Create and test the Systems Manager Automation runbook
Set up the automatic remediation rule in AWS Config
Additional resources
Attachments
To access additional content that is associated with this document, unzip the following file: attachment.zip
