Overview
- Activity in AWS account recorded in CloudTrail
- Enabled on AWS account when created
- Default: logs management events, 90 day retention, not logged to S3
- View events in event history console
- Download CSV/JSON export
- Create CloudTrail to archive/analyze changes to AWS
- Delivered to S3 bucket, CloudWatch, EventBridge
- Global (default) or regional
- Organization trails
- Log all events for Organization
- Create in management account
- Member accounts have no access by default
- Control Tower sets up organization level trail by default
- Log files encrypted using S3 server-side-encryption (SSE)
- Can also encrypt with KMS
- Organize with S3 lifecycle rules e.g. archive, delete automatically
- Event logs delivered on average within 15 mins of API call (not guaranteed)
- Subscribe to trail—SNS topic
Events
- Record of activity in account
- Triggered by user, role or service
- API and non-API activity
Management Events
- Control plane operations
- Info about management operations
- Examples:
- Configuration of security
- Registration of devices
- Configuration of rules for routing data
- Configuration of logging
- Also non-API events e.g. user log-in to account
Data Events
- Data plane operations
- Info about resource operations
- Examples:
- S3 object-level API operations
- Lambda execution
- DynamoDB object-level API activity
- Not logged by default—explicitly add resources to trail when creating
- High volume
- Charges apply
Insights Events
- Unusual API call/error rates
- Logged to a different prefix in S3 bucket
- Only logged when unusual activity detected
- Examples:
- Increase in S3
deleteBucket
API calls (e.g. 20 per min to 100 per min)
- Increase in IAM API
AccessDeniedException
response codes (e.g. <1 per day to 12 per minute)
- Disabled by defaults
Monitoring
- Send CloudTrail events to CloudWatch logs
- Trigger alarm according to metric filter
Security Best Practices
Detective
- Create a trail
- Required to archive >90 days of events in S3
- Configure for all management events in all regions (organization level if applicable)
- Log events in all regions
- Enable CloudTrail log file integrity
- Generates digest files—contain hashes of every log file
- Use to ensure logs haven’t been modified
- Integrate with CloudWatch logs
- Enables monitoring and alerting of events
- Enable detective control
cloud-trail-cloud-watch-logs-enabled
in AWS Config to ensure all trails send events
Preventative
- Log to dedicated central S3 bucket
- Enforce security controls, access, and segregation of duties
- Log archive account
- Use SSE with AWS KMS managed keys
- Rather than S3-managed encryption keys (SSE-S3)
- Directly manageable
- More secure—uses need bucket permission and policy to use key to decrypt
- Add a condition key to default SNS topic policy
- Add
aws:SourceArn
condition key to SNS policy statement—prevent unauthorised access to topic
- Implement least privilege access to log archive S3 bucket
- Enable MFA delete on log archive S3 bucket
- Confiogure S3 object lifecycle management on log archive
- Limit access to the AWSCloudTrail_FullAccess policy