Use the Conformity Knowledge Base AI to help improve your Cloud Posture

CloudTrail Enabled

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (not acceptable risk)
Rule ID: CT-001

Ensure that your Amazon CloudTrail trails are enabled for all the supported AWS cloud regions in order to increase the visibility of the API activity in your AWS account for security and management purposes.

This rule can help you with the following compliance standards:

  • CISAWSF
  • PCI
  • HIPAA
  • GDPR
  • APRA
  • MAS
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security
Sustainability

Enabling global monitoring for your existing CloudTrail trails will help you to manage better your AWS account and maintain your cloud infrastructure secure. Applying your CloudTrail trail to all AWS regions has multiple advantages such as receiving log files from all regions in a single S3 bucket and a single CloudWatch Logs log group, managing trail configuration for all AWS regions from one location, and record API calls in regions that are not used often in order to detect unusual activity.


Audit

To determine if your Amazon CloudTrail trails are logging events in all AWS regions, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon CloudTrail console at https://console.aws.amazon.com/cloudtrail/.

03 In the navigation panel, under CloudTrail, choose Trails.

04 Click on the name (link) of the Amazon CloudTrail trail that you want to examine.

05 In the General details section, check the Multi-region trail attribute value. If the Multi-region trail value is set to No, the selected Amazon CloudTrail trail is not configured to receive log files from all the AWS cloud regions.

06 Repeat steps no. 4 and 5 for each Amazon CloudTrail trail created for your AWS cloud account.

Using AWS CLI

01 Run list-trails command (OSX/Linux/UNIX) with custom query filters to list the names of all the Amazon CloudTrail trails created for your AWS cloud account:

aws cloudtrail list-trails
  --region us-east-1
  --query 'Trails[*].Name'

02 The command output should return an array with the requested CloudTrail trail names:

[
	"cc-project5-api-trail",
	"cc-data-events-trail"
]

03 Run describe-trails command (OSX/Linux/UNIX) using the name of the Amazon CloudTrail trail that you want to examine as the identifier parameter and custom query filters to determine whether the selected trail exists only in one region or exists in all AWS regions:

aws cloudtrail describe-trails
  --region us-east-1
  --trail-name-list cc-project5-api-trail
  --query 'trailList[*].IsMultiRegionTrail'

04 The command output should return the requested flag status (true for enabled, false for disabled):

[
	false
]

If the describe-trails command output returns false, as shown in the example above, the selected Amazon CloudTrail trail is not configured to receive log files from all the AWS cloud regions.

05 Repeat steps no. 3 and 4 for each Amazon CloudTrail trail available within your AWS cloud account.

Remediation / Resolution

To enable multi-region API logging for your Amazon CloudTrail trails, perform the following operations:

Note: Enabling multi-region API logging for Amazon CloudTrail trails using the AWS Management Console is not currently supported.

Using AWS CloudFormation

01 CloudFormation template (JSON):

{
	"AWSTemplateFormatVersion": "2010-09-09",
	"Parameters": {
		"CloudTrailName": {
			"Type": "String"
		},
		"CloudTrailBucketName": {
			"Type": "String"
		},
		"CloudTrailBucketPrefix": {
			"Type": "String"
		}
	},
	"Resources": {
		"CloudTrail": {
			"Type": "AWS::CloudTrail::Trail",
			"Properties": {
				"TrailName": {
					"Ref": "CloudTrailName"
				},
				"S3BucketName": {
					"Ref": "CloudTrailBucketName"
				},
				"S3KeyPrefix": {
					"Ref": "CloudTrailBucketPrefix"
				},
				"EventSelectors": [
					{
						"DataResources": [
							{
								"Type": "AWS::S3::Object",
								"Values": [
									"arn:aws:s3"
								]
							}
						],
						"ReadWriteType": "All",
						"IncludeManagementEvents": true
					}
				],
				"IsLogging": true,
				"IsMultiRegionTrail": true,
				"IncludeGlobalServiceEvents": true
			}
		}
	}
}

02 CloudFormation template (YAML):

AWSTemplateFormatVersion: '2010-09-09'
	Parameters:
	CloudTrailName:
		Type: String
	CloudTrailBucketName:
		Type: String
	CloudTrailBucketPrefix:
		Type: String
	Resources:
	CloudTrail:
		Type: AWS::CloudTrail::Trail
		Properties:
		TrailName: !Ref 'CloudTrailName'
		S3BucketName: !Ref 'CloudTrailBucketName'
		S3KeyPrefix: !Ref 'CloudTrailBucketPrefix'
		EventSelectors:
			- DataResources:
				- Type: AWS::S3::Object
				Values:
					- arn:aws:s3
			ReadWriteType: All
			IncludeManagementEvents: true
		IsLogging: true
		IsMultiRegionTrail: true
		IncludeGlobalServiceEvents: true

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf):

terraform {
	required_providers {
		aws = {
			source  = "hashicorp/aws"
			version = "~> 4.0"
		}
	}

	required_version = ">= 0.14.9"
}

provider "aws" {
	profile = "default"
	region  = "us-east-1"
}

resource "aws_cloudtrail" "aws-cloudtrail-trail" {
	name           = "cc-project5-api-trail"
	s3_bucket_name = "cc-project5-trail-bucket"
	s3_key_prefix  = "trail-logs"
	event_selector {
		data_resource {
			type   = "AWS::S3::Object"
			values = ["arn:aws:s3"]
		}
		read_write_type           = "All"
		include_management_events = true
	}
	enable_logging                = true
	is_multi_region_trail         = true
	include_global_service_events = true
}

Using AWS CLI

01 Run update-trail command (OSX/Linux/UNIX) using the name of the Amazon CloudTrail trail that you want to reconfigure as the identifier parameter, to enable multi-region API logging for the selected trail. Once enabled, shadow trails (replications of the selected trail) will be created in the other AWS regions:

aws cloudtrail update-trail
  --region us-east-1
  --name cc-project5-api-trail
  --is-multi-region-trail
  --include-global-service-events

02 The command output should return the metadata available for the reconfigured trail:

{
	"IncludeGlobalServiceEvents": true,
	"IsOrganizationTrail": false,
	"Name": "cc-project5-api-trail",
	"TrailARN": "arn:aws:cloudtrail:us-east-1:123456789012:trail/cc-project5-api-trail",
	"LogFileValidationEnabled": false,
	"IsMultiRegionTrail": true,
	"S3BucketName": "cc-project5-cloudtrail-logs"
}

03 Repeat steps no. 1 and 2 for each Amazon CloudTrail trail that you want to reconfigure, available in your AWS cloud account.

References

Publication date Apr 12, 2016