Logo of Trend Micro

Enable Audit Logs for Multiple Cloud Services

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that audit logs are enabled for multiple Alibaba Cloud services using the Log Audit Service in order to help you meet regulatory compliance requirements. The Log Audit Service helps you collect logs from various Alibaba Cloud services and store them in a centralized location. You can then query, analyze, and visualize these logs for auditing purposes.

Security

Sending the audit logs to Log Audit Service enables seamless real-time and historical tracking of user, API, resource, and IP address activities. This process offers several advantages, including the ability to gather logs from multiple accounts, centralize log storage, set up alarms and notifications for unusual or sensitive account actions, and extend the default log retention period.

Audit

To determine if the audit logs are enabled for multiple cloud services, perform the following operations:

Checking for Log Audit Service configuration and status via Alibaba Cloud CLI (aliyun) is not currently supported.

Using Alibaba Cloud Console

01 Sign in to your Alibaba Cloud account.

02 Navigate to Simple Log Service (SLS) console available at https://sls.console.aliyun.com/.

03 In the Log Application section, select the Audit & Security tab, and choose Log Audit Service.

04 In the left navigation panel, under Access to Cloud Products, choose Global Configurations.

05 Select the cloud region of the SLS central project from the Region of the Central Project dropdown list. If the Region of the Central Project is already configured, check the name (link) of the SLS central project, listed next to Central Project. If the name of the central project is not a link (the name is not clickable), there is no SLS central project created for managing log resources, available in the selected region, therefore, audit logs are not enabled. If the name of the central project is a link, the SLS central project is available, and you can continue the Audit process with the next step.

06 Ensure that the audit logs are enabled for the following cloud services: Operation Logs for ActionTrail, Access Logs for OSS, SQL Audit Logs for RDS, Layer-7 Access Logs for SLB, Access Logs for API Gateway, and Access Logs for NAS. If any of the listed logs are not enabled, audit logging is disabled for multiple cloud services within Log Audit Service settings. If audit logging is enabled, continue the Audit process with the next step.

07 In the left navigation panel, under Multi-Account Configurations, choose Global Configurations and check if all the resource owners' accounts are added to the multi-account management configuration. If not all owner accounts are being tracked, then the multi-account management configuration is not compliant. If integration is enabled for all accounts, continue the Audit process with the next step."

08 In the left navigation panel, under Access to Cloud Products, choose Status Dashboard and check the collection status of logs. If Status is not set to Normal (green), the log collection status is not compliant, therefore, audit logging is not enabled.

Remediation / Resolution

To ensure that audit logging is enabled for multiple cloud services using the Log Audit Service, perform the following operations:

Configuring the Log Audit Service integration via Alibaba Cloud CLI (aliyun) is not currently supported.

Using Alibaba Cloud Console

01 Sign in to your Alibaba Cloud account.

02 Navigate to Simple Log Service (SLS) console available at https://sls.console.aliyun.com/.

03 In the Log Application section, select the Audit & Security tab, and choose Log Audit Service.

04 In the left navigation panel, under Access to Cloud Products, choose Global Configurations.

05 Select the cloud region required for your SLS central project from the Region of the Central Project dropdown list. If the Region of the Central Project is already configured and the Central Project is available, choose Modify from the top-right menu.

06 Enable audit logs for the following cloud services: Operation Logs for ActionTrail, Access Logs for OSS, SQL Audit Logs for RDS, Layer-7 Access Logs for SLB, Access Logs for API Gateway, and Access Logs for NAS. For RDS, enable SQL Audit Logs, select Go to Collection Policy, ensure that the Default Collection Policy is set to Retain, and choose OK to confirm the collection policy. Set the log data retention period for each selected cloud service in the Storage Method column.

07 Choose Save to apply the configuration changes. This will create the SLS central project and SLS Logstore required for managing and storing log resources.

08 In the left navigation panel, under Multi-Account Configurations, choose Global Configurations, select the Resource Directory Mode tab, and perform the following actions:

  1. If your account has not completed the integration with Resource Directory, follow the steps outlined in the Multi-account Management section to enable integrated access with Resource Directory for multi-account management.
  2. Choose Modify, select the owner accounts that you want to invite, and choose Confirm to save the changes. This will complete the multi-account management configuration. Once the configuration is completed, wait for approximately 2 minutes, then continue the Remediation process with the next step.

09 In the left navigation panel, under Access to Cloud Products, choose Status Dashboard and check the Log Audit Service status. If Status is set to Normal (green), the log collection status is compliant.

References

Publication date Apr 26, 2024

Related AlibabaCloud-SLS rules