Use the Conformity Knowledge Base AI to help improve your Cloud Posture

AWS CloudTrail Configuration Changes

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Low (generally tolerable risk)
Rule ID: CT-013

Monitor AWS CloudTrail Configuration Changes.Amazon CloudTrail is a service that enables governance, compliance, operational auditing and risk auditing of your AWS account. With CloudTrail you can log, continuously monitor, and retain account activity related to actions across your AWS infrastructure. Amazon CloudTrail provides event history of your AWS account activity, including actions taken through the AWS Management Console, Command Line Interface (CLI), AWS SDKs and APIs. This event history feature simplifies security auditing, resource change tracking and troubleshooting. You can identify who or what took which action, what resources were acted upon, when an event occurred and other details that can help you analyze and respond to any activity within your Amazon Web Services account. As a security best practice, you need to be aware of all configuration changes performed at the CloudTrail level. The activity detected by Cloud Conformity RTMA could be, for example, a user action initiated through AWS Management Console or an AWS API request initiated programmatically using AWS CLI or SDK, that is triggering any of the CloudTrail operational events listed below:

This rule can help you with the following compliance standards:

  • APRA
  • MAS
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Real-Time Threat Monitoring.

Security



"CreateTrail" – Creates a Cloudtrail trail that specifies the settings for delivery of log data to an Amazon S3 bucket.

"UpdateTrail" – Updates the settings that specify delivery of Cloudtrail log files. Changes to a trail do not require stopping the CloudTrail service. The action triggered by this event is used to designate an existing bucket for log delivery. If the existing S3 bucket has previously been a target for aws CloudTrail log files, an IAM policy already exists for the bucket.

"DeleteTrail" – Deletes a Cloudtrail trail. This event is triggered within the AWS region in which the trail was created. DeleteTrail event action is not called on the shadow trails (replicated trails in other regions) of a trail that is enabled in all regions.

"PutEventSelectors" – Configures an event selector for a Cloudtrail trail. Event selectors are used to further specify the management and data event settings for a trail. By default, trails created without specific event selectors will be configured to log all read and write management events and no data events.

"AddTags" – Adds one or more tags to a Cloudtrail trail, up to a limit of 50. Tags must be unique per trail.

"RemoveTags" – Removes the specified tags from an AWS Cloudtrail trail.

"StartLogging" – Starts the recording of AWS API calls and log file delivery for a trail. StartLogging event action is not called on the shadow trails (replicated trails in other AWS regions) of a trail that is enabled in all regions.

"StopLogging" – Suspends the recording of AWS API calls and log file delivery for the specified trail.

To adhere to AWS security best practices and implement the principle of least privilege (i.e. the practice of providing every user/process/system the minimal amount of access required to perform its tasks), Cloud Conformity strongly recommends that you avoid as much as possible to provide your IAM users (except the system administrator) the permission to change the CloudTrail service configuration within your AWS account.The communication channels for sending RTMA notifications can be easily configured within Cloud Conformity account. The list of supported communication channels that you can use to receive AWS CloudTrail configuration change alerts are Slack, SMS, Email, PagerDuty, ServiceNow and Zendesk.

Rationale

The visibility into your Amazon Web Services account activity is a key aspect of security and operational best practices. You use AWS CloudTrail to view, search, download, archive, analyze and respond to account activity across your AWS infrastructure. Therefore, monitoring any configuration change made at the CloudTrail service level is important for keeping your AWS infrastructure secure and compliant.

References

Publication date Sep 7, 2018