Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Avoid Duplicate Entries in Amazon CloudTrail Logs

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: CT-006

Ensure that only one trail within your Amazon CloudTrail multi-region logging configuration has the capability to record global service events in order to avoid duplicate log events for AWS global services such as Amazon IAM, Security Token Service (STS), or Amazon CloudFront.

This rule can help you with the following compliance standards:

  • APRA
  • MAS
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

When you have multiple single-region trails created in your AWS cloud account, the events recorded for certain global services are duplicated in the log files as each region trail writes the same events to the CloudTrail aggregated log. In order to prevent log data duplication, the global service event tracking must be enabled for one trail only and disabled for all other trails, from other regions, that write to the same CloudTrail log.

Note: This conformity rule assumes that you have multiple single-region trails already available in your AWS cloud account.


Audit

To determine if more than one single-region trails record global service events, perform the following operations:

Note: Checking Amazon CloudTrail trail support for AWS global services using the AWS Management Console is not currently supported. The trails created using the AWS Management Console are recording global service events by default.

Using AWS CLI

01 Run list-trails command (OSX/Linux/UNIX) with custom query filters to list the names of all the Amazon CloudTrail trails created for your AWS cloud account:

aws cloudtrail list-trails
  --region us-east-1
  --query 'Trails[*].Name'

02 The command output should return an array with the requested CloudTrail trail names:

[
    "cc-project5-api-trail",
    "cc-data-events-trail"
]

03 Run describe-trails command (OSX/Linux/UNIX) using the name of the single-region CloudTrail trail that you want to examine as the identifier parameter and custom query filters to determine if the selected trail records AWS global service events in the selected AWS region:

aws cloudtrail describe-trails
  --region us-east-1
  --trail-name-list cc-project5-api-trail
  --query 'trailList[*].IncludeGlobalServiceEvents'

04 The command output should return the requested feature status (true for enabled, false for disabled):

[
    true
]

If the describe-trails command output returns true, as shown in the example above, the selected Amazon CloudTrail trail is configured to record API calls for AWS global services within the selected AWS region.

05 Change the AWS cloud region by updating the --region command parameter value and repeat steps no. 1 – 4 to perform the Audit process for other AWS regions with active trails enabled. If more than one single-region CloudTrail trail is logging AWS global service events within your AWS cloud account, the events recorded for the AWS global services are duplicated inside the Amazon CloudTrail aggregated log.

Remediation / Resolution

To disable API logging for AWS global services in your subsequent single-region CloudTrail trails, perform the following operations:

Note: Disabling CloudTrail trail support for AWS global services using the AWS Management Console is not currently supported. The trails created using the AWS Management Console are recording AWS global service events by default.

Using AWS CLI

01 Run update-trail command (OSX/Linux/UNIX) using the name of the single-region CloudTrail trail that you want to reconfigure as the identifier parameter, to disable API logging for AWS global services such as Amazon IAM and Amazon CloudFront in order to avoid log duplication:

aws cloudtrail update-trail
  --region us-east-1
  --name cc-project5-api-trail
  --no-include-global-service-events

02 The command output should return the metadata available for the reconfigured trail:

{
  "IncludeGlobalServiceEvents": false,
  "IsOrganizationTrail": false,
  "Name": "cc-project5-api-trail",
  "TrailARN": "arn:aws:cloudtrail:us-east-1:123456789012:trail/cc-project5-api-trail",
  "LogFileValidationEnabled": false,
  "S3BucketName": "cc-project5-cloudtrail-logs"
}

03 Change the AWS cloud region by updating the --region command parameter value and repeat steps no. 1 and 2 for other AWS regions with active trails enabled. Ensure that only a single-region trail records AWS global service events in order to avoid duplicate entries within your Amazon CloudTrail aggregated log.

References

Publication date Apr 13, 2016