AWS CloudTrail Security Best Practices to Keep in Mind
Since AWS CloudTrail was first introduced, it has gradually become a popular solution for monitoring user activity and recording actions taken in a given AWS account. For example, CloudTrail can be used to provide a complete history of AWS calls made by an AWS account. It can also help you to identify security threats, pinpoint operations performed by administrators and other users, track API usage, etc.
However, like any tool or technology, it can present security risks to your AWS environment if misused or not properly configured and maintained. As such, CloudTrail isn’t a “set” “and” “forget” thing. That is why in this article, we are going to walk you through the top security best practices for AWS CloudTrail.
What is AWS CloudTrail?
AWS CloudTrail is an AWS service that tracks user activity and API usage to continuously monitor and retain user activity across your AWS infrastructure. It provides operational and risk auditing, giving you control over your storage, auditing, and remediation actions. AWS CloudTrail is classified as a “Management and Governance” tool in the AWS console. One might say that the motto of this tool is “prevent tampering with CloudTrail,” so to speak.
It allows AWS account owners to record and log every API call made to every resource in their AWS account, sending log files to Amazon S3 buckets for storage. An API call can be made, for example:
- When a REST API call is made to an AWS resource
- When access to a resource from the AWS console occurs
- When a user runs an AWS CLI command
Whether these actions come from users, applications, or another AWS service, CloudTrail records and logs them to provide visibility. CloudTrail can also be configured to send you notifications for each log file delivered and consolidate log files across multiple accounts so that all log files are stored in a single S3 bucket.
Suggested reading: Top Amazon S3 Bucket Misconfigurations
What are the benefits of AWS CloudTrail?
AWS CloudTrail comes in handy for developer teams, especially DevSecOps, to gain visibility for account vulnerabilities and stick to compliance standards. They can, for example, find and analyze logs to find a particular action that happened in the account, the user or process that initiated it, and the resources that were affected by that action.
Besides these benefits, AWS CloudTrail:
- Aggregates activity records across all regions and accounts
- Brings visibility into user and API activity
- Enables you to dig into important information regarding each recorded action, including who made the request, what actions were performed, and the services used
- Allows you to track changes and activities happening to your AWS resources and remediate operational issues faster
- Helps meet compliance requirements with internal policies and regulatory standards
Suggested reading: Getting Started with AWS Config
Best practices for AWS CloudTrail security
When any kind of data is stored, security is almost always the hottest concern (as it should be.) By default, CloudTrail keeps log files encrypted using Amazon S3 Server Side Encryption (SSE). However, the bigger part of the responsibility falls on your shoulders, including:
- Configuring access to log files by applying IAM and S3 bucket policies
- Enabling S3 Multi-Factor Authentication Delete (MFA)
Let’s see what else you can do to protect your CloudTrail logs. Pro tip: You can assess all CloudTrail security best practices below using Resmo.
1. Ensure a log metric filter and alarm exist for CloudTrail events
It’s a CloudTrail best practice to set up a metric filter and alarm to detect changes to your CloudTrail events. You can monitor your API calls in real time by directing CloudTrail events to CloudWatch logs and configuring corresponding metric filters and alarms. Amazon CloudWatch helps you consolidate operational and monitoring data in different forms like logs, events, and metrics.
Once you integrate CloudTrail with CloudWatch logs, you can get alerts for CloudTrail events in near real-time. By continuously monitoring your CloudTrail configuration changes, you’ll be able to maintain visibility across all activities performed in your AWS account and get notified when an important or sensitive event occurs. Helpful article: Creating CloudWatch alarms for CloudTrail events.
2. AWS CloudTrail S3 Destination Bucket should have access logging enabled
S3 Bucket Access Logging generates a log containing access records for every request made to your S3 bucket. An access log record contains detailed information about the request, including the request type, the specified resources in the request worked, and the date the request was processed. By enabling S3 bucket logging target S3 buckets, you can monitor all events which may affect objects within your target buckets.
3. AWS CloudTrail S3 Destination Bucket should be private
AWS CloudTrail logs all API calls made in your account and stores those logs in an S3 bucket. The recommended security best practice here is to prevent public access to the CloudTrail logs by making the bucket policy or access control list (ACL) applied to that S3 bucket private. Allowing public access to your CloudTrail logs could aid malicious threat actors in identifying weak spots in your account’s use or configuration.
Furthermore, keeping your AWS CloudTrail S3 Destination Bucket private also contributes to complying with multiple AWS compliance packs, including the CIS AWS Foundations Benchmark controls and the AWS Startup Security Baseline (AWS SSB).
4. AWS CloudTrail trail log file validation should be enabled
CloudTrail log file validation helps you create a digitally signed digest file containing a hash of each log that CloudTrail records into an S3 bucket. You can use these digest files to understand whether a log file was changed, deleted, or remained unchanged after CloudTrail delivered the log. Therefore, enabling log file validation will ensure an additional layer of security. Plus, it’s even necessary for the CIS AWS benchmarks.
5. AWS CloudTrail should have encryption at rest enabled
You can fortify your CloudTrail security further by configuring Server Side Encryption (SSE), and KMS Customer Created Master Keys (CMK) for your logs. AWS Key Management Service (KMS) is a managed AWS service that helps you create and manage the encryption keys used to encrypt account data.
So, it’s recommended to leverage SSE-KMS to achieve additional confidentiality controls over log data as a user must have S3 read permission on the corresponding log bucket and must be granted permission to decrypt by the CMK policy.
6. Using AWS Config rules to meet CloudTrail standards for the CIS AWS Foundations Benchmark controls
Another way to keep your CloudTrail secure is using AWS Config. AWS Config is an AWS service that allows you to audit and evaluate your AWS resource configurations against a set of rules. Using AWS Config rules and remediations can be a method to ensure that your CloudTrail is configured according to CIS controls. However, mind that this service may not be the most budget-friendly alternative for you.
Another alternative is using Resmo, a continuous cyber asset attack surface management solution. It helps you automatically assess your entire AWS asset inventory, including CloudTrail logs, against security best practices and compliance standards like CIS benchmarks and other AWS standards like AWS Partner Hosted Foundational Technical Review.
If you don’t know much about AWS Config, take a look at our article, Introduction to AWS Config.
Automate AWS CloudTrail best practices with Resmo
Going through all best practices for your AWS CloudTrail account can be time-consuming and error-prone for your security and developer teams. Winging the necessary configurations and hoping no vulnerabilities or attacks occur is definitely not the best solution either. Instead, you can use Resmo to leverage predefined AWS CloudTrail rules along with hundreds of other cloud and SaaS security rules.
Rules on Resmo are automated checks assessing whether your resources and configurations align with security best practices and compliance standards. Connect Resmo with your AWS account with agentless integration to:
- Query your resources and resource changes
- Collect all assets in one place, visualizing their context and relations
- Check if there’s any vulnerable asset or configuration
- And more
Keep AWS compliance in trail
Compliance packs on Resmo help you track the compliance of your assets and configurations. You can use them to comply with industry standards and AWS security best practices, including:
- AWS CIS 1.4.0 Level 1.2 Benchmark
- AWS Partner Hosted Foundational Technical Review
- AWS Startup Security Baseline (AWS SSB)
- AWS Encryption Best Practices
Ready to try Resmo for your AWS CloudTrail security? Start your free trial in minutes; no strings attached.