Ensure that your Amazon CloudTrail trails are configured to log management events in order to record important operations such as EC2 "RunInstances", "DescribeInstances", "TerminateInstances", and console events (basically all events that are not data events).
This rule can help you with the following compliance standards:
- GDPR
- APRA
- MAS
- NIST4
For further details on compliance standards supported by Conformity, see here.
This rule can help you work with the AWS Well-Architected Framework.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
Management events are operations that occur when working with AWS cloud resources, therefore recording this kind of events is a good security practice. For example, if an IAM user within your organization terminates an Amazon EC2 instance that has a crucial role within your application stack, the instance is lost completely, the "TerminateInstances" event is not recorded, and there is no way for the account administrator to determine who terminated the instance by analyzing the trail logs.
Audit
To identify any CloudTrail trails that are missing the capability to log management events, perform the following operations:
Remediation / Resolution
To enable management events for your existing Amazon CloudTrail trails, perform the following operations:
References
- AWS Documentation
- AWS CloudTrail FAQs
- What Is AWS CloudTrail?
- Updating a Trail
- AWS Command Line Interface (CLI) Documentation
- cloudtrail
- list-trails
- get-event-selectors
- put-event-selectors
- CloudFormation Documentation
- AWS CloudTrail resource type reference
- Terraform Documentation
- AWS Provider