AWS CloudTrail controls
These controls are related to CloudTrail resources.
These controls may not be available in all AWS Regions. For more information, see Availability of controls by Region.
[CloudTrail.1] CloudTrail should be enabled and configured with at least one multi-Region trail that includes read and write management events
Related requirements: CIS AWS Foundations Benchmark v1.2.0/2.1, CIS AWS Foundations Benchmark v1.4.0/3.1, NIST.800-53.r5 AC-2(4), NIST.800-53.r5 AC-4(26), NIST.800-53.r5 AC-6(9), NIST.800-53.r5 AU-10, NIST.800-53.r5 AU-12, NIST.800-53.r5 AU-2, NIST.800-53.r5 AU-3, NIST.800-53.r5 AU-6(3), NIST.800-53.r5 AU-6(4), NIST.800-53.r5 AU-14(1), NIST.800-53.r5 CA-7, NIST.800-53.r5 SC-7(9), NIST.800-53.r5 SI-3(8), NIST.800-53.r5 SI-4(20), NIST.800-53.r5 SI-7(8), NIST.800-53.r5 SA-8(22)
Category: Identify > Logging
Severity: High
Resource type: AWS::::Account
AWS Config rule:
multi-region-cloudtrail-enabled
Schedule type: Periodic
Parameters:
-
readWriteType:ALL(not customizable)includeManagementEvents:true(not customizable)
This control checks whether there is at least one multi-Region AWS CloudTrail trail that captures read and write management events. The control fails if CloudTrail is disabled or if there isn't at least one CloudTrail trail that captures read and write management events.
AWS CloudTrail records AWS API calls for your account and delivers log files to you. The recorded information includes the following information:
-
Identity of the API caller
-
Time of the API call
-
Source IP address of the API caller
-
Request parameters
-
Response elements returned by the AWS service
CloudTrail provides a history of AWS API calls for an account, including API calls made from the AWS Management Console, AWS SDKs, command line tools. The history also includes API calls from higher-level AWS services such as AWS CloudFormation.
The AWS API call history produced by CloudTrail enables security analysis, resource change tracking, and compliance auditing. Multi-Region trails also provide the following benefits.
-
A multi-Region trail helps to detect unexpected activity occurring in otherwise unused Regions.
-
A multi-Region trail ensures that global service event logging is enabled for a trail by default. Global service event logging records events generated by AWS global services.
-
For a multi-Region trail, management events for all read and write operations ensure that CloudTrail records management operations on all resources in an AWS account.
By default, CloudTrail trails that are created using the AWS Management Console are multi-Region trails.
Remediation
To create a new multi-Region trail in CloudTrail, see Creating a trail in the AWS CloudTrail User Guide. Use the following values:
| Field | Value |
|---|---|
|
Additional settings, Log file validation |
Enabled |
|
Choose log events, Management events, API activity |
Read and Write. Clear check boxes for exclusions. |
To update an existing trail, see Updating a trail in the AWS CloudTrail User Guide. In Management events, for API activity, choose Read and Write.
[CloudTrail.2] CloudTrail should have encryption at-rest enabled
Related requirements: PCI DSS v3.2.1/3.4, CIS AWS Foundations Benchmark v1.2.0/2.7, CIS AWS Foundations Benchmark v1.4.0/3.7, NIST.800-53.r5 AU-9, NIST.800-53.r5 CA-9(1), NIST.800-53.r5 CM-3(6), NIST.800-53.r5 SC-13, NIST.800-53.r5 SC-28, NIST.800-53.r5 SC-28(1), NIST.800-53.r5 SC-7(10), NIST.800-53.r5 SI-7(6)
Category: Protect > Data protection > Encryption of data at rest
Severity: Medium
Resource type:
AWS::CloudTrail::Trail
AWS Config rule:
cloud-trail-encryption-enabled
Schedule type: Periodic
Parameters: None
This control checks whether CloudTrail is configured to use the server-side encryption (SSE)
AWS KMS key encryption. The control fails if the KmsKeyId isn't defined.
For an added layer of security for your sensitive CloudTrail log files, you should use server-side encryption with AWS KMS keys (SSE-KMS) for your CloudTrail log files for encryption at rest. Note that by default, the log files delivered by CloudTrail to your buckets are encrypted by Amazon server-side encryption with Amazon S3-managed encryption keys (SSE-S3).
Remediation
To enable SSE-KMS encryption for CloudTrail log files, see Update a trail to use a KMS key in the AWS CloudTrail User Guide.
[CloudTrail.3] CloudTrail should be enabled
Related requirements: PCI DSS v3.2.1/10.1, PCI DSS v3.2.1/10.2.1, PCI DSS v3.2.1/10.2.2, PCI DSS v3.2.1/10.2.3, PCI DSS v3.2.1/10.2.4, PCI DSS v3.2.1/10.2.5, PCI DSS v3.2.1/10.2.6, PCI DSS v3.2.1/10.2.7, PCI DSS v3.2.1/10.3.1, PCI DSS v3.2.1/10.3.2, PCI DSS v3.2.1/10.3.3, PCI DSS v3.2.1/10.3.4, PCI DSS v3.2.1/10.3.5, PCI DSS v3.2.1/10.3.6
Category: Identify > Logging
Severity: High
Resource type: AWS::::Account
AWS Config rule:
cloudtrail-enabled
Schedule type: Periodic
Parameters: None
This control checks whether CloudTrail is enabled in your AWS account. The control fails if your account doesn't have at least one CloudTrail trail.
However, some AWS services do not enable logging of all APIs and events. You should implement any additional audit trails other than CloudTrail and review the documentation for each service in CloudTrail Supported Services and Integrations.
Remediation
To get started with CloudTrail and create a trail, see the Getting started with AWS CloudTrail tutorial in the AWS CloudTrail User Guide.
[CloudTrail.4] CloudTrail log file validation should be enabled
Related requirements: PCI DSS v3.2.1/10.5.2, PCI DSS v3.2.1/10.5.5, CIS AWS Foundations Benchmark v1.2.0/2.2, CIS AWS Foundations Benchmark v1.4.0/3.2, NIST.800-53.r5 AU-9, NIST.800-53.r5 SI-4, NIST.800-53.r5 SI-7(1), NIST.800-53.r5 SI-7(3), NIST.800-53.r5 SI-7(7)
Category: Data protection > Data integrity
Severity: Low
Resource type:
AWS::CloudTrail::Trail
AWS Config rule:
cloud-trail-log-file-validation-enabled
Schedule type: Periodic
Parameters: None
This control checks whether log file integrity validation is enabled on a CloudTrail trail.
CloudTrail log file validation creates a digitally signed digest file that contains a hash of each log that CloudTrail writes to Amazon S3. You can use these digest files to determine whether a log file was changed, deleted, or unchanged after CloudTrail delivered the log.
Security Hub recommends that you enable file validation on all trails. Log file validation provides additional integrity checks of CloudTrail logs.
Remediation
To enable CloudTrail log file validation, see Enabling log file integrity validation for CloudTrail in the AWS CloudTrail User Guide.
[CloudTrail.5] CloudTrail trails should be integrated with Amazon CloudWatch Logs
Related requirements: PCI DSS v3.2.1/10.5.3, CIS AWS Foundations Benchmark v1.2.0/2.4, CIS AWS Foundations Benchmark v1.4.0/3.4, NIST.800-53.r5 AC-2(4), NIST.800-53.r5 AC-4(26), NIST.800-53.r5 AC-6(9), NIST.800-53.r5 AU-10, NIST.800-53.r5 AU-12, NIST.800-53.r5 AU-2, NIST.800-53.r5 AU-3, NIST.800-53.r5 AU-6(1), NIST.800-53.r5 AU-6(3), NIST.800-53.r5 AU-6(4), NIST.800-53.r5 AU-6(5), NIST.800-53.r5 AU-7(1), NIST.800-53.r5 CA-7, NIST.800-53.r5 SC-7(9), NIST.800-53.r5 SI-20, NIST.800-53.r5 SI-3(8), NIST.800-53.r5 SI-4(20), NIST.800-53.r5 SI-4(5), NIST.800-53.r5 SI-7(8)
Category: Identify > Logging
Severity: Low
Resource type:
AWS::CloudTrail::Trail
AWS Config rule:
cloud-trail-cloud-watch-logs-enabled
Schedule type: Periodic
Parameters: None
This control checks whether CloudTrail trails are configured to send logs to CloudWatch Logs. The control
fails if the CloudWatchLogsLogGroupArn property of the trail is empty.
CloudTrail records AWS API calls that are made in a given account. The recorded information includes the following:
-
The identity of the API caller
-
The time of the API call
-
The source IP address of the API caller
-
The request parameters
-
The response elements returned by the AWS service
CloudTrail uses Amazon S3 for log file storage and delivery. You can capture CloudTrail logs in a specified S3 bucket for long-term analysis. To perform real-time analysis, you can configure CloudTrail to send logs to CloudWatch Logs.
For a trail that is enabled in all Regions in an account, CloudTrail sends log files from all of those Regions to a CloudWatch Logs log group.
Security Hub recommends that you send CloudTrail logs to CloudWatch Logs. Note that this recommendation is intended to ensure that account activity is captured, monitored, and appropriately alarmed on. You can use CloudWatch Logs to set this up with your AWS services. This recommendation does not preclude the use of a different solution.
Sending CloudTrail logs to CloudWatch Logs facilitates real-time and historic activity logging based on user, API, resource, and IP address. You can use this approach to establish alarms and notifications for anomalous or sensitivity account activity.
Remediation
To integrate CloudTrail with CloudWatch Logs, see Sending events to CloudWatch Logs in the AWS CloudTrail User Guide.
[CloudTrail.6] Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible
Related requirements: CIS AWS Foundations Benchmark v1.2.0/2.3, CIS AWS Foundations Benchmark v1.4.0/3.3
Category: Identify > Logging
Severity: Critical
Resource type:
AWS::S3::Bucket
AWS Config rule: None (custom Security Hub rule)
Schedule type: Periodic and change triggered
Parameters: None
CloudTrail logs a record of every API call made in your account. These log files are stored in an S3 bucket. CIS recommends that the S3 bucket policy, or access control list (ACL), applied to the S3 bucket that CloudTrail logs to prevents public access to the CloudTrail logs. Allowing public access to CloudTrail log content might aid an adversary in identifying weaknesses in the affected account's use or configuration.
To run this check, Security Hub first uses custom logic to look for the S3 bucket where your CloudTrail logs are stored. It then uses the AWS Config managed rules to check that bucket is publicly accessible.
If you aggregate your logs into a single centralized S3 bucket, then Security Hub only runs the check against the account and Region where the centralized S3 bucket is located. For other accounts and Regions, the control status is No data.
If the bucket is publicly accessible, the check generates a failed finding.
Remediation
To block public access to your CloudTrail S3 bucket, see Configuring block public access settings for your S3 buckets in the Amazon Simple Storage Service User Guide. Select all four Amazon S3 Block Public Access Settings.
[CloudTrail.7] Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket
Related requirements: CIS AWS Foundations Benchmark v1.2.0/2.6, CIS AWS Foundations Benchmark v1.4.0/3.6
Category: Identify > Logging
Severity: Low
Resource type:
AWS::CloudTrail::Trail
AWS Config rule: None (custom Security Hub rule)
Schedule type: Periodic
Parameters: None
S3 bucket access logging generates a log that contains access records for each request made to your S3 bucket. An access log record contains details about the request, such as the request type, the resources specified in the request worked, and the time and date the request was processed.
CIS recommends that you enable bucket access logging on the CloudTrail S3 bucket.
By enabling S3 bucket logging on target S3 buckets, you can capture all events that might affect objects in a target bucket. Configuring logs to be placed in a separate bucket enables access to log information, which can be useful in security and incident response workflows.
To run this check, Security Hub first uses custom logic to look for the bucket where your CloudTrail logs are stored and then uses the AWS Config managed rule to check if logging is enabled.
If CloudTrail delivers log files from multiple AWS accounts into a single destination Amazon S3 bucket, Security Hub evaluates this control only against the destination bucket in the Region where it's located. This streamlines your findings. However, you should turn on CloudTrail in all accounts that deliver logs to the destination bucket. For all accounts except the one that holds the destination bucket, the control status is No data.
If the bucket is publicly accessible, the check generates a failed finding.
Remediation
To enable server access logging for your CloudTrail S3 bucket, see Enabling Amazon S3 server access logging in the Amazon Simple Storage Service User Guide.
