AWS CloudTrail Best Practices [Checklist] [Cheat Sheet]

AWS CloudTrail best practices security controls cheat sheet banner

Are you following CloudTrail best practices? Here’s a simple checklist βœ…

Under the hood, AWS Security Hub service is looking for these best practices:

βœ… [CloudTrail.1] CloudTrail should be enabled and configured with at least one multi-Region trail that includes read and write management events

🟠 Severity: High

πŸ“Œ Why:
– Helps detect unexpected activity, even in unused Regions
– Ensures that AWS global services events are logged

πŸ” Remediation:
– Create a new trail / update an existing trail
– In Management Events, for API activity, make sure Read & Write are selected

βœ… [CloudTrail.2] CloudTrail should have encryption at-rest enabled

🟀 Severity: Medium

πŸ“Œ Why:
– Checks whether CloudTrail is using SSE AWS KMS key encryption
– An added layer of security for sensitive log files

πŸ” Remediation:
– Enable server-side encryption with AWS KMS keys (SSE-KMS) for encryption at rest

βœ… [CloudTrail.3] CloudTrail should be enabled

🟠 Severity: High

πŸ“Œ Why:
– Without visibility, you don’t have security
– CloudTrail is one of the most critical AWS services to enable observability

πŸ” Remediation:
– Create a CloudTrail trail
– Understand what’s enabled by default at account creation
– Understand the difference between Management Events, Data Events, and Insights Events

βœ… [CloudTrail.4] CloudTrail log file validation should be enabled

βšͺ️ Severity: Low

– Log file validation creates a digitally signed digest file with a hash of each log that CloudTrail writes to Amazon S3
– If someone deletes or changes log files, log file validation will tell you

πŸ” Remediation:
– Enable log file validation on all trails

βœ… [CloudTrail.5] CloudTrail trails should be integrated with Amazon CloudWatch Logs

βšͺ️ Severity: Low

– CloudTrail stores log files to S3, but those files aren’t actionable on their own. You need to download them and sift through or feed into another tool
– Sending to CloudWatch will help with monitoring/alerting, and both near real-time & historical analysis through simple searches and Logs Insights

πŸ” Remediation:
– Create a Logs Group and send CloudTrail logs to CloudWatch Logs

βœ… [CloudTrail.6] Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible

πŸ”΄ Severity: Critical

– Since CloudTrail sends log files to S3 with all sorts of API and non-API activity, that bucket will contain sensitive information

πŸ” Remediation:
– Ensure the S3 bucket blocks public access to the logs

βœ… [CloudTrail.7] Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket

βšͺ️ Severity: Low

– S3 bucket access logging creates a log with access records for every request made to that S3 bucket
– Those access logs contain details about the request type, the resources accessed, and date/time of the request
– This can be useful for incident response and to keep an eye on your CloudTrail logs

πŸ” Remediation:
– Enable S3 bucket logging

Cheat Sheet Download

AWS CloudTrail Best Practices Security Controls Cheat Sheet and Checklist

For more information:

Learn how to use CloudTrail with our free course:

Related Articles


Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.