Ensure that only one trail within your Amazon CloudTrail multi-region logging configuration has the capability to record global service events in order to avoid duplicate log events for AWS global services such as Amazon IAM, Security Token Service (STS), or Amazon CloudFront.
This rule can help you with the following compliance standards:
- APRA
- MAS
- NIST4
For further details on compliance standards supported by Conformity, see here.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
When you have multiple single-region trails created in your AWS cloud account, the events recorded for certain global services are duplicated in the log files as each region trail writes the same events to the CloudTrail aggregated log. In order to prevent log data duplication, the global service event tracking must be enabled for one trail only and disabled for all other trails, from other regions, that write to the same CloudTrail log.
Note: This conformity rule assumes that you have multiple single-region trails already available in your AWS cloud account.
Audit
To determine if more than one single-region trails record global service events, perform the following operations:
Note: Checking Amazon CloudTrail trail support for AWS global services using the AWS Management Console is not currently supported. The trails created using the AWS Management Console are recording global service events by default.Remediation / Resolution
To disable API logging for AWS global services in your subsequent single-region CloudTrail trails, perform the following operations:
Note: Disabling CloudTrail trail support for AWS global services using the AWS Management Console is not currently supported. The trails created using the AWS Management Console are recording AWS global service events by default.References
- AWS Official Documentation
- AWS CloudTrail FAQs
- Global service events
- Creating a trail for your AWS account
- Creating, updating, and managing trails with the AWS Command Line Interface
- Using update-trail
- AWS Command Line Interface (CLI) Documentation
- cloudtrail
- list-trails
- describe-trails
- update-trail
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.
You are auditing:
Avoid Duplicate Entries in Amazon CloudTrail Logs
Risk Level: Medium