AWS-CloudTrail-is-not-enabled-with-multi-trail-and-not-capturing-all-management-events

Owned by naveen
Oct 28, 2021
3 min read

Severity: low

Description: This identifies the AWS accounts which do not have a CloudTrail with multi trail enabled and capturing all management events. AWS CloudTrail is a service that enables governance, compliance, operational & risk auditing of the AWS account. It is a compliance and security best practice to turn on CloudTrail across different regions to get a complete audit trail of activities across various services.\n\nNOTE: If you have Organization Trail enabled in your account, this policy can be disabled, or alerts generated for this policy on such an account can be ignored; as Organization Trail by default enables trail log for all accounts under that organization.

Remediation Steps:

Perform the following to enable capturing all management events :

  1. Sign in to the AWS Management Console and open the CloudTrail console at https://console.aws.amazon.com/cloudtrail/.

  2. To create AWS Organizations organization trail, signed in console with an IAM user/role with sufficient permission.

  3. On the CloudTrail Dashboard page, choose Create a trail.

  4. For Storage location, choose Create new S3 bucket to create a bucket. When you create a bucket, CloudTrail creates and applies the required bucket policies. To make it easier to find your logs, create a new folder (also known as a prefix) in an existing bucket to store your CloudTrail logs. Enter the prefix in Prefix.

  5. For Log file SSE-KMS encryption, choose Enabled if you want to encrypt your log files with SSE-KMS instead of SSE-S3.

    If you enable SSE-KMS encryption, choose a New or Existing AWS KMS key. In AWS KMS Alias, specify an alias, in the format alias/MyAliasName.

  6. In Additional settings, configure the following.

    1. For Log file validation, choose Enabled to have log digests delivered to your S3 bucket. You can use the digest files to verify that your log files did not change after CloudTrail delivered them.

    2. For SNS notification delivery, choose Enabled to be notified each time a log is delivered to your bucket. Choose Existing to use an existing topic or choose New to create a topic. If you create a topic, you must subscribe to the topic to be notified of log file delivery.

  7. For Tags, add one or more custom tags (key-value pairs) to your trail to help identify both CloudTrail trails and the Amazon S3 buckets that contain CloudTrail log files.

  8. On the Choose log events page, choose the event types that you want to log. For Management events, do the following.

    1. For API activity, choose if you want your trail to log Read events, Write events, or both.

    2. Choose Exclude AWS KMS events to filter AWS Key Management Service (AWS KMS) events out of your trail. The default setting is to include all AWS KMS events.

    3. Choose Exclude Amazon RDS Data API events to filter Amazon Relational Database Service Data API events out of your trail. The default setting is to include all Amazon RDS Data API events.

  9. For Data events, specify logging data events for Amazon S3 buckets, AWS Lambda functions, Amazon DynamoDB tables, or a combination of these resource types.

  10. To add another data type on which to log data events, choose Add data event type.

  11. For Lambda functions:

    1. For Data event source, choose Lambda.

    2. In Lambda function, choose All regions to log all Lambda functions, or Input function as ARN to log data events on a specific function. To log data events for all Lambda functions in your AWS account, select Log all current and future functions. This setting takes precedence over individual settings you configure for individual functions. All functions are logged, even if all functions are not displayed.

    3. If you choose Input function as ARN, enter the ARN of a Lambda function.

  12. For DynamoDB tables:

    1. For Data event source, choose DynamoDB.

    2. In DynamoDB table selection, choose Browse to select a table, or paste in the ARN of a DynamoDB table to which you have access. A DynamoDB table ARN uses the following format:

      arn:partition:dynamodb:region:account_ID:table/table_name

      To add another table, choose Add row, and browse for a table or paste in the ARN of a table to which you have access.

  13. Choose Insights events if you want your trail to log CloudTrail Insights events.

  14. In Event type, select Insights events. You must be logging Write management events to log Insights events. CloudTrail Insights analyzes management Write events for unusual activity, and logs events when anomalies are detected. By default, trails don't log Insights events.

    Insights events are delivered to a different folder named /CloudTrail-Insightof the same S3 bucket that is specified in the Storage location area of the trail details page. CloudTrail creates the new prefix for you.

  15. When you are finished choosing event types to log, choose Next.

  16. On the Review and create page, review your choices. Choose Edit in a section to change the trail settings shown in that section. When you are ready to create the trail, choose Create trail.

  17. The new trail appears on the Trails page. The Trails page shows the trails in your account from all Regions. In about 15 minutes, CloudTrail publishes log files that show the AWS API calls made in your account. You can see the log files in the S3 bucket that you specified. It can take up to 36 hours for CloudTrail to deliver the first Insights event, if you have enabled Insights event logging, and unusual activity is detected.

Reference:

https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-create-and-update-a-trail.html

Blue Hexagon Proprietary