Use the Conformity Knowledge Base AI to help improve your Cloud Posture

CloudTrail Data Events

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Low (generally tolerable level of risk)
Rule ID: CT-012

Ensure that your Amazon CloudTrail trails are configured to log data events in order to record S3 object-level API operations such as "GetObject", "DeleteObject" and "PutObject", for individual S3 buckets or for all existing and future buckets provisioned within your AWS cloud account.

This rule can help you with the following compliance standards:

  • APRA
  • MAS
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

Enabling CloudTrail data event logging will help you meet data compliance requirements within your organization, perform comprehensive security analysis, monitor specific patterns of user behavior in your AWS cloud account, or take immediate actions on any object-level API activity using Amazon CloudWatch Events.


Audit

To identify any CloudTrail trails that are missing the capability to log data events, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon CloudTrail console at https://console.aws.amazon.com/cloudtrail/.

03 In the navigation panel, under CloudTrail, choose Trails.

04 Click on the name (link) of the Amazon CloudTrail trail that you want to examine.

05 In the Data events section, check the values available in the Read and Write columns for the selected data event source. If there are no configuration values available in the Read and Write columns and the following message is displayed: Data event collection is not configured for this trail, the selected Amazon CloudTrail trail is not configured to capture resource operations performed on or within an AWS cloud resource.

06 Repeat steps no. 4 and 5 for each Amazon CloudTrail trail created for your AWS cloud account.

Using AWS CLI

01 Run list-trails command (OSX/Linux/UNIX) with custom query filters to list the names of all the Amazon CloudTrail trails created for your AWS cloud account:

aws cloudtrail list-trails
  --region us-east-1
  --query 'Trails[*].Name'

02 The command output should return an array with the requested CloudTrail trail names:

[
    "cc-main-cloud-trail",
    "cc-project5-api-trail"
]

03 Run get-event-selectors command (OSX/Linux/UNIX) using the name of the Amazon CloudTrail trail that you want to examine as the identifier parameter and custom query filters to determine if the selected CloudTrail trail is configured to record data events:

aws cloudtrail get-event-selectors
  --region us-east-1
  --trail-name cc-main-cloud-trail
  --query 'EventSelectors[*].DataResources[]'

04 The command output should return an array with the configuration information available for the specified feature:

[]

If the get-event-selectors command output returns an empty array (i.e. []), as shown in the example above, the selected Amazon CloudTrail trail is not configured to capture resource operations performed on or within an AWS cloud resource.

05 Repeat steps no. 3 and 4 for each Amazon CloudTrail trail available within your AWS cloud account.

Remediation / Resolution

To enable data events for your existing Amazon CloudTrail trails, perform the following actions:

Using AWS CloudFormation

01 CloudFormation template (JSON):

{
    "AWSTemplateFormatVersion": "2010-09-09",
    "Description": "Enable Data Event Logging for all Amazon S3 Buckets",
    "Parameters": {
        "TrailName": {
            "Type": "String"
        },
        "BucketName": {
            "Type": "String"
        },
        "S3BucketKeyPrefix": {
            "Type": "String"
        }
    },
    "Resources": {
        "Trail": {
            "Type": "AWS::CloudTrail::Trail",
            "Properties": {
                "TrailName": {
                    "Ref": "TrailName"
                },
                "S3BucketName": {
                    "Ref": "BucketName"
                },
                "S3KeyPrefix": {
                    "Ref": "S3BucketKeyPrefix"
                },
                "IsLogging": true,
                "EventSelectors": [
                    {
                        "DataResources": [
                            {
                                "Type": "AWS::S3::Object",
                                "Values": ["arn:aws:s3"],
                            }
                        ],
                        "ReadWriteType": "All",
                    }
                ]
            }
        }
    }
}

02 CloudFormation template (YAML):

AWSTemplateFormatVersion: '2010-09-09'
Description: Enable Data Event Logging for all Amazon S3 Buckets
Parameters:
  TrailName:
    Type: String
  BucketName:
    Type: String
  S3BucketKeyPrefix:
    Type: String
Resources:
  Trail:
    Type: AWS::CloudTrail::Trail
    Properties:
      TrailName: !Ref 'TrailName'
      S3BucketName: !Ref 'BucketName'
      S3KeyPrefix: !Ref 'S3BucketKeyPrefix'
      IsLogging: true
      EventSelectors:
        - DataResources:
            - Type: AWS::S3::Object
              Values:
                - arn:aws:s3
          ReadWriteType: All

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf):

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 3.27"
    }
  }

  required_version = ">= 0.14.9"
}

provider "aws" {
  profile = "default"
  region  = "us-east-1"
}

data "aws_caller_identity" "current-account" {}

resource "aws_s3_bucket" "trail-s3-bucket" {

  bucket        = "cc-main-cloudtrail-bucket"
  force_destroy = true
  policy = <<POLICY
  {
      "Version": "2012-10-17",
      "Statement": [
          {
              "Sid": "AWSCloudTrailAclCheck",
              "Effect": "Allow",
              "Principal": {
                "Service": "cloudtrail.amazonaws.com"
              },
              "Action": "s3:GetBucketAcl",
              "Resource": "arn:aws:s3:::cc-main-cloudtrail-bucket"
          },
          {
              "Sid": "AWSCloudTrailWrite",
              "Effect": "Allow",
              "Principal": {
                "Service": "cloudtrail.amazonaws.com"
              },
              "Action": "s3:PutObject",
              "Resource": "arn:aws:s3:::cc-main-cloudtrail-bucket/cc-trail-logs/AWSLogs/${data.aws_caller_identity.current-account.account_id}/*",
              "Condition": {
                  "StringEquals": {
                      "s3:x-amz-acl": "bucket-owner-full-control"
                  }
              }
          }
      ]
  }
  POLICY

}

resource "aws_cloudtrail" "cloudtrail-trail" {

  name                          = "cc-main-cloud-trail"
  s3_bucket_name                = aws_s3_bucket.trail-s3-bucket.id
  s3_key_prefix                 = "cc-trail-logs"
  enable_logging                = true

  # Enable Data Event Logging for all Amazon S3 Buckets
  event_selector {
     read_write_type           = "All"
     data_resource {
       type   = "AWS::S3::Object"
       values = ["arn:aws:s3"]
     }
  }

}

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon CloudTrail console at https://console.aws.amazon.com/cloudtrail/.

03 In the navigation panel, under CloudTrail, choose Trails.

04 Click on the name (link) of the Amazon CloudTrail trail that you want to reconfigure.

05 Choose Edit from the Data events section to change the trail configuration settings.

06 On the Edit trail configuration page, perform the following operations:

  1. In the Events section, select Data events under Event type to enable recording resource operations performed on or within an AWS resource.
  2. In the Data events section, select the source of data events to log from the Data event source dropdown list, and depending on the event source selected, choose the type of the data events to log (i.e. Read and/or Write) and the individual cloud resource that you want to monitor. Choose Add data event type to add as many data event types as needed.
  3. Choose Save changes to apply the changes.

07 Repeat steps no. 4 – 6 for each Amazon CloudTrail trail that you want to reconfigure, created for your AWS cloud account.

Using AWS CLI

01 Run put-event-selectors command (OSX/Linux/UNIX) using the name of the Amazon CloudTrail trail that you want to reconfigure as the identifier parameter, to enable data events that record both read and write API operations (i.e. All option) for the selected trail. The following command request example enables data event logging for all the Amazon S3 buckets available within your AWS account:

aws cloudtrail put-event-selectors
  --region us-east-1
  --trail-name cc-main-cloud-trail
  --event-selectors '[{ "ReadWriteType": "All", "IncludeManagementEvents":true, "DataResources": [{ "Type": "AWS::S3::Object", "Values": ["arn:aws:s3"] }] }]'

02 The output should return the put-event-selectors command request metadata:

{
    "EventSelectors": [
        {
            "ExcludeManagementEventSources": [],
            "IncludeManagementEvents": true,
            "DataResources": [
                {
                    "Values": [
                        "arn:aws:s3"
                    ],
                    "Type": "AWS::S3::Object"
                }
            ],
            "ReadWriteType": "All"
        }
    ],
    "TrailARN": "arn:aws:cloudtrail:us-east-1:123456789012:trail/cc-main-cloud-trail"
}

03 To enable data event logging for individual Amazon S3 buckets, run put-event-selectors command (OSX/Linux/UNIX) using the Amazon Resource Name (ARN) of the S3 bucket that you want to monitor as the event selector parameter, as highlighted in the example below:

aws cloudtrail put-event-selectors
  --region us-east-1
  --trail-name cc-main-cloud-trail
  --event-selectors '[{ "ReadWriteType": "All", "IncludeManagementEvents":true, "DataResources": [{ "Type": "AWS::S3::Object", "Values": ["arn:aws:s3:::cc-data-event-logging-bucket/"] }] }]'

04 The command output should return the command request metadata:

{
    "EventSelectors": [
        {
            "ExcludeManagementEventSources": [],
            "IncludeManagementEvents": true,
            "DataResources": [
                {
                    "Values": [
                        "arn:aws:s3:::cc-data-event-logging-bucket/"
                    ],
                    "Type": "AWS::S3::Object"
                }
            ],
            "ReadWriteType": "All"
        }
    ],
    "TrailARN": "arn:aws:cloudtrail:us-east-1:123456789012:trail/cc-main-cloud-trail"
}

05 Repeat steps no. 1 – 4 for each Amazon CloudTrail trail that you want to reconfigure, available within your AWS cloud account.

References

Publication date Nov 15, 2017