AWS CloudTrail Best Practices [Checklist] [Cheat Sheet]
Are you following CloudTrail best practices? Here’s a simple checklist β
Under the hood, AWS Security Hub service is looking for these best practices:
β
[CloudTrail.1] CloudTrail should be enabled and configured with at least one multi-Region trail that includes read and write management events
π Severity: High
π Why:
– Helps detect unexpected activity, even in unused Regions
– Ensures that AWS global services events are logged
π Remediation:
– Create a new trail / update an existing trail
– In Management Events, for API activity, make sure Read & Write are selected
β
[CloudTrail.2] CloudTrail should have encryption at-rest enabled
π€ Severity: Medium
π Why:
– Checks whether CloudTrail is using SSE AWS KMS key encryption
– An added layer of security for sensitive log files
π Remediation:
– Enable server-side encryption with AWS KMS keys (SSE-KMS) for encryption at rest
β
[CloudTrail.3] CloudTrail should be enabled
π Severity: High
π Why:
– Without visibility, you donβt have security
– CloudTrail is one of the most critical AWS services to enable observability
π Remediation:
– Create a CloudTrail trail
– Understand whatβs enabled by default at account creation
– Understand the difference between Management Events, Data Events, and Insights Events
β
[CloudTrail.4] CloudTrail log file validation should be enabled
βͺοΈ Severity: Low
πWhy:
– Log file validation creates a digitally signed digest file with a hash of each log that CloudTrail writes to Amazon S3
– If someone deletes or changes log files, log file validation will tell you
π Remediation:
– Enable log file validation on all trails
β
[CloudTrail.5] CloudTrail trails should be integrated with Amazon CloudWatch Logs
βͺοΈ Severity: Low
πWhy:
– CloudTrail stores log files to S3, but those files arenβt actionable on their own. You need to download them and sift through or feed into another tool
– Sending to CloudWatch will help with monitoring/alerting, and both near real-time & historical analysis through simple searches and Logs Insights
π Remediation:
– Create a Logs Group and send CloudTrail logs to CloudWatch Logs
β
[CloudTrail.6] Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible
π΄ Severity: Critical
πWhy:
– Since CloudTrail sends log files to S3 with all sorts of API and non-API activity, that bucket will contain sensitive information
π Remediation:
– Ensure the S3 bucket blocks public access to the logs
β
[CloudTrail.7] Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket
βͺοΈ Severity: Low
πWhy:
– S3 bucket access logging creates a log with access records for every request made to that S3 bucket
– Those access logs contain details about the request type, the resources accessed, and date/time of the request
– This can be useful for incident response and to keep an eye on your CloudTrail logs
π Remediation:
– Enable S3 bucket logging
Cheat Sheet Download
For more information: https://docs.aws.amazon.com/securityhub/latest/userguide/cloudtrail-controls.html
Learn how to use CloudTrail with our free course: https://cybr.com/courses/beginners-guide-to-aws-cloudtrail-for-security/
Responses