Ensure CloudTrail is enabled in all regions

AWS CloudTrail is a web service that records AWS API calls for your account and delivers log files to you. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. CloudTrail provides a history of AWS API calls for an account, including API calls made via the Management Console, SDKs, command line tools, and higher-level AWS services (such as CloudFormation).

Risk Level: Low
Cloud Entity: Region
CloudGuard Rule ID: D9.AWS.LOG.07
Category: Global

GSL LOGIC

Region should have hasCloudTrail=true

REMEDIATION

From Portal

  1. Sign in to the AWS Management Console.
  2. Navigate to CloudTrail dashboard at https://console.aws.amazon.com/cloudtrail/.
  3. In the left navigation panel, select Trails.
  4. Under Name column, select the trail name that you need to update.
  5. Under the trail name, search for the Apply trail to all regions status and click the pencil icon next to the status current value.
  6. Select Yes to enable the feature and click Save.

From TF

resource "aws_cloudtrail" "example" {
	name                          = "management-events"
	s3_bucket_name                = "aws-cloudtrail-logs-853284604061-88d690f8"
	include_global_service_events = false
	is_multi_region_trail = true
}

From Command Line

aws cloudtrail create-trail --name TRAIL_NAME --bucket-name S3_BUCKET_FOR_CLOUDTRAIL> --is-multi-region-trail
aws cloudtrail update-trail --name TRAIL_NAME --is-multi-region-trail

References

  1. CIS Amazon Web Services Foundations Benchmark v1.3.0: https://workbench.cisecurity.org/benchmarks/679
  2. https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-concepts.html#cloudtrail-concepts-management-events
  3. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/create-trail.html
  4. https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudtrail#is_multi_region_trail

Region

Each Amazon EC2 Region is designed to be completely isolated from the other Amazon EC2 Regions. This achieves the greatest possible fault tolerance and stability.

Compliance Frameworks

  • AWS CIS Foundations v. 1.1.0
  • AWS CIS Foundations v. 1.2.0
  • AWS CIS Foundations v. 1.3.0
  • AWS CIS Foundations v. 1.4.0
  • AWS CIS Foundations v. 1.5.0
  • AWS CSA CCM v.3.0.1
  • AWS CloudGuard Best Practices
  • AWS CloudGuard SOC2 based on AICPA TSC 2017
  • AWS CloudGuard Well Architected Framework
  • AWS GDPR Readiness
  • AWS HIPAA
  • AWS HITRUST
  • AWS HITRUST v11.0.0
  • AWS ISO 27001:2013
  • AWS ITSG-33
  • AWS LGPD regulation
  • AWS MAS TRM Framework
  • AWS MITRE ATT&CK Framework v10
  • AWS MITRE ATT&CK Framework v11.3
  • AWS NIST 800-171
  • AWS NIST 800-53 Rev 4
  • AWS NIST 800-53 Rev 5
  • AWS NIST CSF v1.1
  • AWS PCI-DSS 3.2
  • AWS PCI-DSS 4.0