CloudTrail should be enabled and configured with at least one multi-Region trail that includes read and write management events
Severity: High
Resource Types: AWS::CloudTrail::Trail
Description
This control checks that there is at least one multi-Region CloudTrail trail.
AWS CloudTrail records AWS API calls for your account and delivers log files to you. The recorded information includes the following information.
- Identity of the API caller
- Time of the API call
- Source IP address of the API caller
- Request parameters
- Response elements returned by the AWS service
CloudTrail provides a history of AWS API calls for an account, including API calls made from the AWS Management Console, AWS SDKs, command line tools. The history also includes API calls from higher-level AWS services such as AWS CloudFormation.
- The AWS API call history produced by CloudTrail enables security analysis, resource change tracking, and compliance auditing. Multi-Region trails also provide the following benefits.
- A multi-Region trail helps to detect unexpected activity occurring in otherwise unused Regions.
- A multi-Region trail ensures that global service event logging is enabled for a trail by default. Global service event logging records events generated by AWS global services.
- For a multi-Region trail, management events for all read and write operations ensure that CloudTrail records management operations on all of an AWS account’s resources.
By default, CloudTrail trails that are created using the AWS Management Console are multi-Region trails.
Remediation
To remediate this issue, create a new multi-Region trail in CloudTrail.
To create a new trail in CloudTrail
- Open the CloudTrail console.
- If you haven't used CloudTrail before, choose
Get Started Now
. - Choose
Trails
and then chooseCreate trail
. - Enter a name for the trail.
- Under
Storage location
, do one of the following:- To create a new S3 bucket for CloudTrail logs, for
Create a new S3 bucket
, choose Yes, then enter a name for the new S3 bucket. - To use an existing S3 bucket, for
Create a new S3 bucket
, chooseNo
, then select the S3 bucket to use.
- To create a new S3 bucket for CloudTrail logs, for
- Under
Additional settings
, chooseAdvanced
. ForEnable log file validation
, selectEnabled
. - Choose Create.
To update an existing trail in CloudTrail
- Open the CloudTrail console.
- Choose
Trails
. - In the
Name
column, choose the name of the trail. - For
Management events
, chooseEdit
. - For
Read/Write events
, selectManagement events
. - Under
API Activity
, selectRead and Write
.