Duplicate Entries Should Be Avoided In CloudTrail Logs
More Info:
Only one trail within a CloudTrail multi-region logging configuration should have Include Global Services feature enabled in order to avoid duplicate log events being recorded for the AWS global services such as IAM, STS or Cloudfront.Risk Level
MediumAddress
SecurityCompliance Standards
HIPAATriage and Remediation
Remediation
Using Console
Using Console
To remediate the duplicate entries issue in CloudTrail Logs in AWS using AWS Console, follow the below steps:
- Open the AWS Management Console and navigate to the CloudTrail service.
- In the CloudTrail dashboard, click on the Trails link on the left-hand side of the page.
- Select the trail that you want to remediate and click on the Edit button.
- Scroll down to the Event selectors section and click on the Edit button.
- In the Edit event selector dialog box, you will see a list of all the AWS services that are being logged by CloudTrail.
- To avoid duplicate entries, you need to ensure that the same events are not being logged twice.
- For example, if you see that the “S3” service is being logged twice, you can uncheck one of the checkboxes to avoid duplicate entries.
- Once you have made the necessary changes, click on the Save button to save the changes.
- Verify that the duplicate entries have been remediated by checking the CloudTrail logs for the selected trail.
Using CLI
Using CLI
To remediate duplicate entries in AWS CloudTrail logs using AWS CLI, follow these steps:
-
Open your AWS CLI and run the following command to get a list of all trails in your account:
- Identify the trail you want to modify and note down its name.
-
Run the following command to update the trail settings and enable log file validation:
This will enable log file integrity validation, which helps detect and prevent duplicate entries in CloudTrail logs.
-
Next, run the following command to create a new S3 bucket policy that prevents overwriting existing log files:
Replace
<bucket-name>with the name of the S3 bucket where your CloudTrail logs are stored. This policy denies any attempts to overwrite existing log files in the S3 bucket, which helps prevent duplicate entries. -
Finally, run the following command to enable CloudTrail log file validation for the S3 bucket:
Replace
<trail-name>and<bucket-name>with the appropriate values. This command enables log file validation for the specified S3 bucket and ensures that duplicate entries are detected and prevented in CloudTrail logs.
Using Python
Using Python
To remediate duplicate entries in CloudTrail logs in AWS using Python, you can follow the below steps:
-
Install the AWS SDK for Python (Boto3) using the command
pip install boto3. - Create a new Python file and import the necessary modules:
- Connect to the AWS CloudTrail service using the
boto3.clientmethod:
- Retrieve the list of trails using the
describe_trailsmethod:
- Loop through the list of trails and retrieve the trail ARN for each trail:
- Retrieve the current CloudTrail settings for each trail using the
get_trailmethod:
- Check if the
S3KeyPrefixparameter is set to a unique value for each trail:
- If the
S3KeyPrefixparameter is set to the default value, update the value to a unique value using theupdate_trailmethod:
- Save and run the Python file to remediate the duplicate entries in CloudTrail logs for all the trails in your AWS account.