- Newest
- Most votes
- Most comments
Yes , you are correct. You can use Security help to run checks on those mandatory guardrails and configurations in order to meet the compliance requirements.
The two in particular that you are referencing are:
- [CloudTrail.1] CloudTrail should be enabled and configured with at least one multi-Region trail that includes read and write management events
- [CloudTrail.3] CloudTrail should be enabled
You can verify the requirements here: AWS CloudTrail controls
[CloudTrail.1] CloudTrail should be enabled and configured with at least one multi-Region trail that includes read and write management events
Related requirements: CIS AWS Foundations Benchmark v1.2.0/2.1, CIS AWS Foundations Benchmark v1.4.0/3.1, NIST.800-53.r5 AC-2(4), NIST.800-53.r5 AC-4(26), NIST.800-53.r5 AC-6(9), NIST.800-53.r5 AU-10, NIST.800-53.r5 AU-12, NIST.800-53.r5 AU-2, NIST.800-53.r5 AU-3, NIST.800-53.r5 AU-6(3), NIST.800-53.r5 AU-6(4), NIST.800-53.r5 AU-14(1), NIST.800-53.r5 CA-7, NIST.800-53.r5 SC-7(9), NIST.800-53.r5 SI-3(8), NIST.800-53.r5 SI-4(20), NIST.800-53.r5 SI-7(8), NIST.800-53.r5 SA-8(22)
Category: Identify > Logging
Severity: High
Resource type: AWS::::Account
AWS Config rule: multi-region-cloudtrail-enabled
Schedule type: Periodic
Parameters:
readWriteType
:ALL
This control checks that there is at least one multi-Region CloudTrail trail. It also checks that the ExcludeManagementEventSources
parameter is empty for at least one of those trails.
AWS CloudTrail records AWS API calls for your account and delivers log files to you. The recorded information includes the following information.
-
Identity of the API caller
-
Time of the API call
-
Source IP address of the API caller
-
Request parameters
-
Response elements returned by the AWS service
CloudTrail provides a history of AWS API calls for an account, including API calls made from the AWS Management Console, AWS SDKs, command line tools. The history also includes API calls from higher-level AWS services such as AWS CloudFormation.
The AWS API call history produced by CloudTrail enables security analysis, resource change tracking, and compliance auditing. Multi-Region trails also provide the following benefits.
-
A multi-Region trail helps to detect unexpected activity occurring in otherwise unused Regions.
-
A multi-Region trail ensures that global service event logging is enabled for a trail by default. Global service event logging records events generated by AWS global services.
-
For a multi-Region trail, management events for all read and write operations ensure that CloudTrail records management operations on all resources in an AWS account.
By default, CloudTrail trails that are created using the AWS Management Console are multi-Region trails.
Note
This control is not supported in Middle East (UAE).
Remediation
To create a new multi-Region trail in CloudTrail, see Creating a trail in the AWS CloudTrail User Guide. Use the following values:
<table> <tr> <td><strong>Field</strong> </td> <td><strong>Value</strong> </td> </tr> <tr> <td>Additional settings, Log file validation </td> <td>Enabled </td> </tr> <tr> <td>Choose log events, Management events, API activity </td> <td><strong>Read</strong> and <strong>Write</strong> </td> </tr> </table>To update an existing trail, see Updating a trail in the AWS CloudTrail User Guide. In Management events, for API activity, choose Read and Write.
[CloudTrail.3] CloudTrail should be enabled
Related requirements: PCI DSS v3.2.1/10.1, PCI DSS v3.2.1/10.2.1, PCI DSS v3.2.1/10.2.2, PCI DSS v3.2.1/10.2.3, PCI DSS v3.2.1/10.2.4, PCI DSS v3.2.1/10.2.5, PCI DSS v3.2.1/10.2.6, PCI DSS v3.2.1/10.2.7, PCI DSS v3.2.1/10.3.1, PCI DSS v3.2.1/10.3.2, PCI DSS v3.2.1/10.3.3, PCI DSS v3.2.1/10.3.4, PCI DSS v3.2.1/10.3.5, PCI DSS v3.2.1/10.3.6
Category: Identify > Logging
Severity: High
Resource type: AWS::::Account
AWS Config rule: cloudtrail-enabled
Schedule type: Periodic
Parameters: None
This control checks whether CloudTrail is enabled in your AWS account. The control fails if your account doesn't have at least one CloudTrail trail.
However, some AWS services do not enable logging of all APIs and events. You should implement any additional audit trails other than CloudTrail and review the documentation for each service in CloudTrail Supported Services and Integrations.
Remediation
To get started with CloudTrail and create a trail, see the Getting started with AWS CloudTrail tutorial in the AWS CloudTrail User Guide.
I agree with the feedback that has been provided. Landing Zone or AWS Organization construct CloudTrail configure in the Management Account consolidated CloudTrail Management Events, Data Events, and Insights events. The destination is the highly durable and resilient S3 bucket for the trails. CloudTrail behaves regionally and globally in AWS Partition US-EAST-1. The best practice is to create a "trail" that applies to all Regions in the AWS partition you are working on. And, AWS Organizations, or Landing Zone can work with CloudWatch Events to raise events when administrator-specified actions occur in an organization. This is the default setting when you create a trail in the CloudTrail console. CloudTrail Management events were covered. Additionally, CloudTrail data events, or data plane operations show resource operations performed on a resource in an AWS account. These operations are often high-volume activities. CloudTrail Insights analyzes your normal patterns of API call volume and API error rates, baseline, and generates Insights events when calls are made to volume or error rates that are outside normal patterns by API calls.
There is AWS Artifact, which is a central resource for compliance-related information for Organizational Compliance. AWS Artifact Reports can download AWS security and compliance documents, such as AWS ISO certifications, Payment Card Industry (PCI), and System and Organization Control (SOC). As stated complaints with cis-aws-foundations-benchmark-1.2.0 is an AWS Independent Software Vendor (ISV) partner. AWS is a Security Benchmarks Member company that includes guidelines for secure configurations for e.g., a subset of AWS cloud services. It also provides on-demand access to security as well as sells products on AWS Marketplace.
Relevant content
- Accepted Answerasked 7 months ago
- asked 2 years ago
- asked 3 months ago
- AWS OFFICIALUpdated 4 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago