AWS Remediation Knowledge Base > Security

AWS CloudTrail Event log disabled

Risk level: High

Rule ID: CT-002

To boost your API security and governance posture, you must consider enabling AWS CloudTrail Event Log for all AWS regions.

This rule checks for and lists AWS Accounts that don't have AWS CloudTrail Event log enabled.

CloudTrail is enabled by default when you establish an AWS account. CloudTrail events are produced anytime an AWS account event occurs. In the CloudTrail console, click Event history to see the previous 90 days' occurrences.

However, if you want to manage ongoing events efficiently, you should create a trail, which is just a configuration that permits events to be sent to a specified S3 bucket.

A CloudTrail might be regional or global. Regional trails exclusively record occurrences from a specified region, whereas global trails, which are recommended, record events from all regions.

Audit

Please carry out the following steps to verify the status of your CloudTrail Event Logging status.

 

Using AWS Console

1. Access the CloudTrail dashboard at https://console.aws.amazon.com/cloudtrail/.
 
2. Click the CloudTrail left navigation panel and select the Trails option.
 
3. If you see an empty table with a Create Trail button, as shown below, your account has no trail configured in this AWS region.


 
4. Switch to another AWS region and verify if there are any trails enabled in that region.

Using AWS CLI

1. Execute the describe-trails command to retrieve the list of all trails available in the selected AWS region.

aws cloudtrail describe-trails \\
	--region us-east-1

 
2. The resulting output should display the properties for all configured trails in the region. There are no event trails generated in this region if the output is an empty list.

Output
{
    "trailList": []
}

 
3. Update the --region parameter to verify the existence of trails in other AWS regions.

Remediation

Using AWS Console

Follow these steps below to create an event trail that is delivered to a specified S3 bucket.
 
1. Access the CloudTrail dashboard at https://console.aws.amazon.com/cloudtrail/.
 
2. Click the CloudTrail left navigation panel and select the Trails option.
 
3. Click on the Create Trail button.

a. For the General Details Section:
 
I. Input a trail name, e.g., default-trail.
 
II. For the Storage Location option, choose the Use an existing bucket option or theCreate a new S3 bucket option depending on the availability of an S3 bucket you can use.
 
III. Select Enabled for Log file SSE-KMS encryption (highly recommended) and choose either an existing KMS Key or create a new KMS Key.

If you're creating a new KMS Key, make sure you provide an AWS KMS alias.
 
IV. Select enabled for Log file validation
 
V. Scroll down to the bottom and click on Next


 
b. For the Choose Log Events Section:

You can choose which events you would like to record with this trail. Let's go with Management Events only for the sake of this sample.
 
I. For Event Type, choose Management Events.
 
II. For API activity, select theRead and Write boxes.
 
III. Click on Next


 
c. Please review all of the configuration choices in the Review and Create section, then scroll down and select theCreate trail button to begin recording events and delivering them to S3.

Using AWS CLI

1. Execute the describe-trails command to retrieve the list of all trails in the specified AWS region.

aws cloudtrail describe-trails \\
	--region us-east-1

 
2. The resulting output will display the properties for all configured trails in the current region. Again, there are no event trails generated in this region if the output is an empty list.

Output
{
    "trailList": []
}

 
3. Execute the create-trail command along with the options a-e specified below to start recording events with a newly created trail.

--name : Name of the trail e.g default-trail

--s3-bucket-name : Name of the bucket to log the events.

--is-multi-region-trail : Activate multi-region trail.

--enable-log-file-validation : To activate the CloudTrail Log File Integrity validation feature.

--kms-key-id : The KMS Key ARN to encrypt the logs.

aws cloudtrail create-trail \\
--name default-trail \\
--s3-bucket-name aws-cloudtrail-logs-695292474035-548ae90e \\
--is-multi-region-trail \\
--enable-log-file-validation \\
--kms-key-id arn:aws:kms:us-east-1:XXXXXXXXX:key/3316612e-e112-4f50-967e-20df8fb14cad
  
**Output**
{
    "Name": "default-trail",
    "S3BucketName": "aws-cloudtrail-logs-695292474035-548ae90e",
    "IncludeGlobalServiceEvents": true,
    "IsMultiRegionTrail": true,
    "TrailARN": "arn:aws:cloudtrail:us-east-1:695292474035:trail/default-trail",
    "LogFileValidationEnabled": true,
    "IsOrganizationTrail": false
}

 

Ensure that you have the following pre-requisites met:

  1. An S3 bucket exists to use in the —s3-bucket-name parameter.
  2. A KMS Key exists to use in the —kms-key-id parameter.
  3. The KMS Key has the required decryption permissions on the specified S3 bucket.

Still Need Help?

Come see why we are the #1 cloud management platform and why companies like Uber, Dickey’s BBQ Pit and Norwegian Cruise Line trust nOps to manage their cloud.