AWS and Cloudanix team co-authored this blog: Real-Time Threat and Anomaly Detection for Workloads on AWS

Cloudanix

AWS Cloudtrail Audit

Your AWS CloudTrail logging bucket should use the Multi-Factor Authentication (MFA) Delete feature in order to prevent the deletion of any versioned log files.

CloudTrail Logging Bucket Should Use MFA Delete Feature

Your AWS CloudTrail logging bucket should use the Multi-Factor Authentication (MFA) Delete feature in order to prevent the deletion of any versioned log files.

CloudTrail Logging Buckets Should Not Be Publicly Accessible

AWS CloudTrail logging buckets should not be publicly accessible. Using an overly permissive or insecure set of permissions for your CloudTrail logging S3 buckets could provide malicious users access to your AWS account log data which can increase exponentially the risk of unauthorized access.

CloudTrail Must Log Data Events

Your AWS CloudTrail trails should be configured to log Data events in order to record S3 object-level API operations, such as GetObject, DeleteObject and PutObject.

Log files Should Be Delivered Without Any Failures

The log files generated by your AWS CloudTrail trails should be delivered without any failures to designated recipients in order to keep CloudTrail logging data for security and compliance audits.

CloudTrail Must Be Enabled For All Regions

CloudTrail should be enabled for all AWS regions in order to increase the visibility of the API activity in your AWS account for security and management purposes.

Trails Should Record Both Regional And Global Events

Your CloudTrail trails should be recording both regional and global events in order to increase the visibility of the API activity in your AWS account for security and management purposes.

Duplicate Entries Should Be Avoided In CloudTrail Logs

Only one trail within a CloudTrail multi-region logging configuration should have Include Global Services feature enabled in order to avoid duplicate log events being recorded for the AWS global services such as IAM, STS or Cloudfront.

CloudTrail Events Should Be Monitored By CloudWatch Logs

AWS CloudTrail events should be monitored with CloudWatch Logs for management and security purposes.

File Integrity Validation Feature Should Be Enabled For Trails

Your trails should have file integrity validation feature enabled in order to check the log files and detect whether these were modified or deleted after CloudTrail agent delivered them to the S3 bucket.

CloudTrail Logs Should Be Encrypted

Your CloudTrail logs should be encrypted at rest using server-side encryption provided by AWS KMS–Managed Keys (SSE-KMS) to enhance the security of your CloudTrail bucket

CloudTrails Must Log Management Events

All your AWS CloudTrail trails should be configured to log Management events in order to record important operations such as EC2 RunInstances, DescribeInstances, TerminateInstances and Console Login.

CloudTrail Should Be Configured To Use Appropriated S3 Bucket

Your Amazon CloudTrail trail should be configured to use the appropriated S3 bucket in order to meet regulatory compliance requirements within your organization

Server Access Logging Feature Should Be Enabled

Any S3 buckets used by AWS CloudTrail should have Server Access Logging feature enabled in order to track requests for accessing the buckets and necessary for security audits.

Object Lock Feature Should Be Enabled

The Amazon S3 buckets associated with your CloudTrail trails should have Object Lock feature enabled in order to prevent the objects they store (i.e. trail log files) from being deleted and meet regulatory compliance.

cta-image

Secure Every Layer of Your Cloud Stack with Cloudanix

Unify your security workflows with Cloudanix — one dashboard for misconfigurations, drift detection, CI/CD, and identity protection.

Get Started

CLOUDANIX

Insights from Cloudanix

Explore guides, checklists, and blogs that simplify cloud security and help you secure your infrastructure.