Automatically re-enable AWS CloudTrail by using a custom remediation rule in AWS Config - AWS Prescriptive Guidance

Automatically re-enable AWS CloudTrail by using a custom remediation rule in AWS Config

Created by Manigandan Shri (AWS)

Environment: Production

Technologies: Infrastructure; Operations; Security, identity, compliance

AWS services: Amazon S3; AWS Config; AWS KMS; AWS Identity and Access Management; AWS Systems Manager; AWS CloudTrail

Summary

Visibility over activity in your Amazon Web Services (AWS) account is an important security and operational best practice. AWS CloudTrail helps you with the governance, compliance, and operational and risk auditing of your account.

To ensure that CloudTrail remains enabled in your account, AWS Config provides the cloudtrail-enabled managed ruleIf CloudTrail is turned off, the cloudtrail-enabled rule automatically re-enables it by using automatic remediation.

However, you must make sure that you follow security best practices for CloudTrail if you use automatic remediation. These best practices include enabling CloudTrail in all AWS Regions, logging read and write workloads, enabling insights, and encrypting log files with server-side encryption using AWS Key Management Service (AWS KMS) managed keys (SSE-KMS).

This pattern helps you follow these security best practices by providing a custom remediation action to automatically re-enable CloudTrail in your account.

Important: We recommend using service control policies (SCPs) to prevent any tampering with CloudTrail. For more information about this, see the Prevent tampering with AWS CloudTrail section of How to use AWS Organizations to simplify security at enormous scale on the AWS Security Blog.

Prerequisites and limitations

Prerequisites

  • An active AWS account

  • AWS Identity and Access Management (IAM) user and role permissions to create an AWS Systems Manager Automation runbook

  • An existing trail for your account

Limitations 

This pattern doesn't support the following actions:

  • Setting an Amazon Simple Storage Service (Amazon S3) prefix key for the storage location

  • Publishing to an Amazon Simple Notification Service (Amazon SNS) topic

  • Configuring Amazon CloudWatch Logs to monitor your CloudTrail logs

Architecture

Technology stack  

  • AWS Config 

  • CloudTrail

  • Systems Manager

  • Systems Manager Automation

Tools

 

AWS Config – AWS Config provides a detailed view of the configuration of AWS resources in your account. 

AWS CloudTrail – CloudTrail helps you enable governance, compliance, and operational and risk auditing of your account.

AWS KMS – AWS Key Management Service (AWS KMS) is an encryption and key management service.

AWS Systems Manager – Systems Manager helps you view and control your infrastructure on AWS.

AWS Systems Manager Automation – Systems Manager Automation simplifies common maintenance and deployment tasks of Amazon Elastic Compute Cloud (Amazon EC2) instances and other AWS resources.

Amazon S3 – Amazon Simple Storage Service (Amazon S3) is storage for the internet.

Code

The cloudtrail-remediation-action.yml file (attached) helps you create a Systems Manager Automation runbook to set up and re-enable CloudTrail using security best practices.

Epics

TaskDescriptionSkills required
Create an S3 bucket.

Sign in to the AWS Management Console, open the Amazon S3 console, and then create an S3 bucket to store the CloudTrail logs. For more information, see Create an S3 bucket in the Amazon S3 documentation.

Systems administrator
Add a bucket policy to allow CloudTrail to deliver log files to the S3 bucket.

CloudTrail must have the required permissions to deliver log files to your S3 bucket. On the Amazon S3 console, choose the S3 bucket that you created earlier and then choose Permissions. Create an S3 bucket policy by using the Amazon S3 bucket policy for CloudTrail from the CloudTrail documentation.

For steps on how to add a policy to an S3 bucket, see Adding a bucket policy using the Amazon S3 console in the Amazon S3 documentation.

Important: If you specified a prefix when you created your trail in CloudTrail, make sure that you include it in the S3 bucket policy. The prefix is an optional addition to the S3 object key that creates a folder-like organization in your S3 bucket. For more information about this, see Creating a trail in the CloudTrail documentation.

Systems administrator
Create a KMS key.

Create an AWS KMS key for CloudTrail to encrypt objects before adding them to the S3 bucket. For help with this story, see Encrypting CloudTrail log files with AWS KMS managed keys (SSE-KMS) in the CloudTrail documentation.

Systems administrator
Add a key policy to the KMS key.

Attach a KMS key policy to allow CloudTrail to use the KMS key. For help with this story, see Encrypting CloudTrail log files with AWS KMS–managed keys (SSE-KMS) in the CloudTrail documentation.

Important: CloudTrail doesn’t require Decrypt permissions.

Systems administrator
Create AssumeRole for Systems Manager runbook

Create an AssumeRole for Systems Manager Automation to run the runbook. For instructions and more information about this, see Setting up automation in the Systems Manager documentation.

Systems administrator
TaskDescriptionSkills required
Create the Systems Manager Automation runbook.

Use the cloudtrail-remediation-action.yml file (attached) to create the Systems Manager Automation runbook. For more information about this, see Creating Systems Manager documents in the Systems Manager documentation.

Systems administrator
Test the runbook.

On the System Manager console, test the Systems Manager Automation runbook that you created earlier. For more information about this, see Running a simple automation in the Systems Manager documentation.

Systems administrator
TaskDescriptionSkills required
Add the cloudtrail-enabled rule.

On the AWS Config console, choose Rules and then choose Add rule. On the Add rule page, choose Add custom rule. On the Configure rule page, enter a name and description, and add the cloudtrail-enabled rule. For more information, see Managing your AWS Config rules in the AWS Config documentation.

Systems administrator
Add the automatic remediation action.

From the Actions dropdown list, choose Manage remediation. Choose Auto remediation and then choose the Systems Manager runbook that you created earlier. 

The following are the required input parameters for CloudTrail:

  • CloudTrailName

  • CloudTrailS3BucketName

  • CloudTrailKmsKeyId

  • AssumeRole (optional)

The following input parameters are set to true by default: 

  • IsMultiRegionTrail

  • IsOrganizationTrail

  • IncludeGlobalServiceEvents

  • EnableLogFileValidation

Retain the default values for the Rate Limits parameter and Resource ID parameter. Choose Save.

For more information about this, see Remediating noncompliant AWS resources with AWS Config rules in the AWS Config documentation

Systems administrator
Test the automatic remediation rule.

To test the automatic remediation rule, open the CloudTrail console,  choose Trails, and then choose the trail. Choose Stop logging to turn off logging for the trail. When you are prompted to confirm, choose Stop logging. CloudTrail stops logging activity for that trail.

Follow the instructions from Evaluating your resources in the AWS Config documentation to make sure that CloudTrail was automatically re-enabled.

Systems administrator

Configure CloudTrail

Create and test the Systems Manager Automation runbook

Set up the automatic remediation rule in AWS Config 

Additional resources

Attachments

To access additional content that is associated with this document, unzip the following file: attachment.zip