docs.aws.amazon.com
Open in
urlscan Pro
18.66.147.42
Public Scan
Submitted URL: https://docs.aws.amazon.com/console/securityhub/CloudTrail.4/remediation
Effective URL: https://docs.aws.amazon.com/securityhub/latest/userguide/cloudtrail-controls.html
Submission: On September 21 via api from IN — Scanned from DE
Effective URL: https://docs.aws.amazon.com/securityhub/latest/userguide/cloudtrail-controls.html
Submission: On September 21 via api from IN — Scanned from DE
Form analysis 0 forms found in the DOM
Text Content
SELECT YOUR COOKIE PREFERENCES
We use essential cookies and similar tools that are necessary to provide our
site and services. We use performance cookies to collect anonymous statistics so
we can understand how customers use our site and make improvements. Essential
cookies cannot be deactivated, but you can click “Customize cookies” to decline
performance cookies.
If you agree, AWS and approved third parties will also use cookies to provide
useful site features, remember your preferences, and display relevant content,
including relevant advertising. To continue without accepting these cookies,
click “Continue without accepting.” To make more detailed choices or learn more,
click “Customize cookies.”
Accept all cookiesContinue without acceptingCustomize cookies
CUSTOMIZE COOKIE PREFERENCES
We use cookies and similar tools (collectively, "cookies") for the following
purposes.
ESSENTIAL
Essential cookies are necessary to provide our site and services and cannot be
deactivated. They are usually set in response to your actions on the site, such
as setting your privacy preferences, signing in, or filling in forms.
PERFORMANCE
Performance cookies provide anonymous statistics about how customers navigate
our site so we can improve site experience and performance. Approved third
parties may perform analytics on our behalf, but they cannot use the data for
their own purposes.
Allow performance category
Allowed
FUNCTIONAL
Functional cookies help us provide useful site features, remember your
preferences, and display relevant content. Approved third parties may set these
cookies to provide certain site features. If you do not allow these cookies,
then some or all of these services may not function properly.
Allow functional category
Allowed
ADVERTISING
Advertising cookies may be set through our site by us or our advertising
partners and help us deliver relevant marketing content. If you do not allow
these cookies, you will experience less relevant advertising.
Allow advertising category
Allowed
Blocking some types of cookies may impact your experience of our sites. You may
review and change your choices at any time by clicking Cookie preferences in the
footer of this site. We and selected third-parties use cookies or similar
technologies as specified in the AWS Cookie Notice.
CancelSave preferences
UNABLE TO SAVE COOKIE PREFERENCES
We will only store essential cookies at this time, because we were unable to
save your cookie preferences.
If you want to change your cookie preferences, try again later using the link in
the AWS console footer, or contact support if the problem persists.
Dismiss
Contact Us
English
Create an AWS Account
1. AWS
2. ...
3. Documentation
4. AWS Security Hub
5. User Guide
Feedback
Preferences
AWS SECURITY HUB
USER GUIDE
* What is AWS Security Hub?
* Terminology and concepts
* Prerequisites and recommendations
* Using Organizations
* Enabling AWS Config
* Setting up Security Hub
* Enabling Security Hub manually
* Managing accounts
* Effects of an administrator-member relationship
* Restrictions and recommendations
* Making the transition to Organizations
* Allowed actions for accounts
* Designating a Security Hub administrator account
* Managing organization member accounts
* Enabling new accounts automatically
* Enabling member accounts
* Disassociating member accounts
* Managing member accounts by invitation
* Adding and inviting member accounts
* Responding to an invitation
* Disassociating member accounts
* Deleting member accounts
* Disassociating from your administrator account
* Effect of account actions on Security Hub data
* Cross-Region aggregation
* How cross-Region aggregation works
* Viewing the current configuration
* Enabling cross-Region aggregation
* Updating the configuration
* Stopping cross-Region aggregation
* Findings
* Creating and updating findings
* Using BatchImportFindings
* Using BatchUpdateFindings
* Viewing a cross-Region finding summary
* Viewing finding lists and details
* Filtering and grouping findings (console)
* Viewing finding details
* Taking action on findings
* Setting the workflow status of findings
* Sending findings to a custom action
* Finding format
* ASFF syntax
* Consolidation and ASFF
* ASFF examples
* Required attributes
* Optional top-level attributes
* Resources
* Resource attributes
* AwsAmazonMQ
* AwsApiGateway
* AwsAppSync
* AwsAthena
* AwsAutoScaling
* AwsBackup
* AwsCertificateManager
* AwsCloudFormation
* AwsCloudFront
* AwsCloudTrail
* AwsCloudWatch
* AwsCodeBuild
* AwsDynamoDB
* AwsEc2
* AwsEcr
* AwsEcs
* AwsEfs
* AwsEks
* AwsElasticBeanstalk
* AwsElasticSearch
* AwsElb
* AwsEventBridge
* AwsGuardDuty
* AwsIam
* AwsKinesis
* AwsKms
* AwsLambda
* AwsNetworkFirewall
* AwsOpenSearchService
* AwsRds
* AwsRedshift
* AwsS3
* AwsSageMaker
* AwsSecretsManager
* AwsSns
* AwsSqs
* AwsSsm
* AwsStepFunctions
* AwsWaf
* AwsXray
* Container
* Other
* Insights
* Viewing and filtering the list of insights
* Viewing insight results and findings
* Managed insights
* Custom insights
* Automations
* Automation rules
* Automated response and remediation
* Types of EventBridge integration
* EventBridge event formats
* Configuring a rule for automatically sent findings
* Configuring and using custom actions
* Product integrations
* Managing product integrations
* AWS service integrations
* Third-party product integrations
* Using custom product integrations
* Standards and controls
* IAM permissions for standards and controls
* Security checks and scores
* AWS Config rules and security checks
* Required AWS Config resources for control findings
* Schedule for running security checks
* Generating and updating control findings
* Determining the control status
* Determining security scores
* Standards reference
* AWS FSBP
* CIS AWS Foundations Benchmark v1.2.0 and v1.4.0
* NIST SP 800-53 Rev. 5
* PCI DSS
* Service-managed standards
* Service-Managed Standard: AWS Control Tower
* Viewing and managing security standards
* Enabling and disabling standards
* Viewing details for a standard
* Enabling and disabling controls in specific standards
* Controls reference
* AWS account controls
* AWS Certificate Manager controls
* API Gateway controls
* AWS AppSync controls
* Athena controls
* CloudFormation controls
* CloudFront controls
* CloudTrail controls
* CloudWatch controls
* CodeBuild controls
* AWS Config controls
* AWS DMS controls
* Amazon DocumentDB controls
* DynamoDB controls
* Amazon ECR controls
* Amazon ECS controls
* Amazon EC2 controls
* Amazon EC2 Auto Scaling controls
* Amazon EC2 Systems Manager controls
* Amazon EFS controls
* Amazon EKS controls
* ElastiCache controls
* Elastic Beanstalk controls
* Elastic Load Balancing controls
* Amazon EMR controls
* Elasticsearch controls
* GuardDuty controls
* IAM controls
* Kinesis controls
* AWS KMS controls
* Lambda controls
* Neptune controls
* Network Firewall controls
* OpenSearch Service controls
* Amazon RDS controls
* Amazon Redshift controls
* Amazon S3 controls
* SageMaker controls
* Secrets Manager controls
* Amazon SNS controls
* Amazon SQS controls
* Step Functions controls
* AWS WAF controls
* Viewing and managing security controls
* Control categories
* Enabling and disabling controls in all standards
* Enabling new controls in enabled standards automatically
* Controls that you might want to disable
* Viewing details for a control
* Filtering and sorting controls
* Viewing and taking action on control findings
* Viewing finding and resource details
* Sample control findings
* Filtering and sorting findings
* Taking action on control findings
* Creating resources with CloudFormation
* Subscribing to Security Hub announcements
* Security
* Data protection
* AWS Identity and Access Management
* How AWS Security Hub works with IAM
* Using service-linked roles
* AWS managed policies
* Compliance validation
* Infrastructure security
* VPC endpoints (AWS PrivateLink)
* Logging API calls
* Quotas
* Regional limits
* Disabling Security Hub
* Controls change log
* Document history
AWS CloudTrail controls - AWS Security Hub
AWSDocumentationAWS Security HubUser Guide
[CloudTrail.1] CloudTrail should be enabled and configured with at least one
multi-Region trail that includes read and write management events[CloudTrail.2]
CloudTrail should have encryption at-rest enabled[CloudTrail.3] CloudTrail
should be enabled[CloudTrail.4] CloudTrail log file validation should be
enabled[CloudTrail.5] CloudTrail trails should be integrated with Amazon
CloudWatch Logs[CloudTrail.6] Ensure the S3 bucket used to store CloudTrail logs
is not publicly accessible[CloudTrail.7] Ensure S3 bucket access logging is
enabled on the CloudTrail S3 bucket
AWS CLOUDTRAIL CONTROLS
PDFRSS
These controls are related to CloudTrail resources.
These controls may not be available in all AWS Regions. For more information,
see Availability of controls by Region.
[CLOUDTRAIL.1] CLOUDTRAIL SHOULD BE ENABLED AND CONFIGURED WITH AT LEAST ONE
MULTI-REGION TRAIL THAT INCLUDES READ AND WRITE MANAGEMENT EVENTS
Related requirements: CIS AWS Foundations Benchmark v1.2.0/2.1, CIS AWS
Foundations Benchmark v1.4.0/3.1, NIST.800-53.r5 AC-2(4), NIST.800-53.r5
AC-4(26), NIST.800-53.r5 AC-6(9), NIST.800-53.r5 AU-10, NIST.800-53.r5 AU-12,
NIST.800-53.r5 AU-2, NIST.800-53.r5 AU-3, NIST.800-53.r5 AU-6(3), NIST.800-53.r5
AU-6(4), NIST.800-53.r5 AU-14(1), NIST.800-53.r5 CA-7, NIST.800-53.r5 SC-7(9),
NIST.800-53.r5 SI-3(8), NIST.800-53.r5 SI-4(20), NIST.800-53.r5 SI-7(8),
NIST.800-53.r5 SA-8(22)
Category: Identify > Logging
Severity: High
Resource type: AWS::::Account
AWS Config rule: multi-region-cloudtrail-enabled
Schedule type: Periodic
Parameters:
* readWriteType: ALL
This control checks that there is at least one multi-Region CloudTrail trail. It
also checks that the ExcludeManagementEventSources parameter is empty for at
least one of those trails.
AWS CloudTrail records AWS API calls for your account and delivers log files to
you. The recorded information includes the following information.
* Identity of the API caller
* Time of the API call
* Source IP address of the API caller
* Request parameters
* Response elements returned by the AWS service
CloudTrail provides a history of AWS API calls for an account, including API
calls made from the AWS Management Console, AWS SDKs, command line tools. The
history also includes API calls from higher-level AWS services such as AWS
CloudFormation.
The AWS API call history produced by CloudTrail enables security analysis,
resource change tracking, and compliance auditing. Multi-Region trails also
provide the following benefits.
* A multi-Region trail helps to detect unexpected activity occurring in
otherwise unused Regions.
* A multi-Region trail ensures that global service event logging is enabled for
a trail by default. Global service event logging records events generated by
AWS global services.
* For a multi-Region trail, management events for all read and write operations
ensure that CloudTrail records management operations on all resources in an
AWS account.
By default, CloudTrail trails that are created using the AWS Management Console
are multi-Region trails.
REMEDIATION
To create a new multi-Region trail in CloudTrail, see Creating a trail in the
AWS CloudTrail User Guide. Use the following values:
Field Value
Additional settings, Log file validation
Enabled
Choose log events, Management events, API activity
Read and Write. Clear check boxes for exclusions.
To update an existing trail, see Updating a trail in the AWS CloudTrail User
Guide. In Management events, for API activity, choose Read and Write.
[CLOUDTRAIL.2] CLOUDTRAIL SHOULD HAVE ENCRYPTION AT-REST ENABLED
Related requirements: PCI DSS v3.2.1/3.4, CIS AWS Foundations Benchmark
v1.2.0/2.7, CIS AWS Foundations Benchmark v1.4.0/3.7, NIST.800-53.r5 AU-9,
NIST.800-53.r5 CA-9(1), NIST.800-53.r5 CM-3(6), NIST.800-53.r5 SC-13,
NIST.800-53.r5 SC-28, NIST.800-53.r5 SC-28(1), NIST.800-53.r5 SC-7(10),
NIST.800-53.r5 SI-7(6)
Category: Protect > Data protection > Encryption of data at rest
Severity: Medium
Resource type: AWS::CloudTrail::Trail
AWS Config rule: cloud-trail-encryption-enabled
Schedule type: Periodic
Parameters: None
This control checks whether CloudTrail is configured to use the server-side
encryption (SSE) AWS KMS key encryption. The control fails if the KmsKeyId isn't
defined.
For an added layer of security for your sensitive CloudTrail log files, you
should use server-side encryption with AWS KMS keys (SSE-KMS) for your
CloudTrail log files for encryption at rest. Note that by default, the log files
delivered by CloudTrail to your buckets are encrypted by Amazon server-side
encryption with Amazon S3-managed encryption keys (SSE-S3).
REMEDIATION
To enable SSE-KMS encryption for CloudTrail log files, see Update a trail to use
a KMS key in the AWS CloudTrail User Guide.
[CLOUDTRAIL.3] CLOUDTRAIL SHOULD BE ENABLED
Related requirements: PCI DSS v3.2.1/10.1, PCI DSS v3.2.1/10.2.1, PCI DSS
v3.2.1/10.2.2, PCI DSS v3.2.1/10.2.3, PCI DSS v3.2.1/10.2.4, PCI DSS
v3.2.1/10.2.5, PCI DSS v3.2.1/10.2.6, PCI DSS v3.2.1/10.2.7, PCI DSS
v3.2.1/10.3.1, PCI DSS v3.2.1/10.3.2, PCI DSS v3.2.1/10.3.3, PCI DSS
v3.2.1/10.3.4, PCI DSS v3.2.1/10.3.5, PCI DSS v3.2.1/10.3.6
Category: Identify > Logging
Severity: High
Resource type: AWS::::Account
AWS Config rule: cloudtrail-enabled
Schedule type: Periodic
Parameters: None
This control checks whether CloudTrail is enabled in your AWS account. The
control fails if your account doesn't have at least one CloudTrail trail.
However, some AWS services do not enable logging of all APIs and events. You
should implement any additional audit trails other than CloudTrail and review
the documentation for each service in CloudTrail Supported Services and
Integrations.
REMEDIATION
To get started with CloudTrail and create a trail, see the Getting started with
AWS CloudTrail tutorial in the AWS CloudTrail User Guide.
[CLOUDTRAIL.4] CLOUDTRAIL LOG FILE VALIDATION SHOULD BE ENABLED
Related requirements: PCI DSS v3.2.1/10.5.2, PCI DSS v3.2.1/10.5.5, CIS AWS
Foundations Benchmark v1.2.0/2.2, CIS AWS Foundations Benchmark v1.4.0/3.2,
NIST.800-53.r5 AU-9, NIST.800-53.r5 SI-4, NIST.800-53.r5 SI-7(1), NIST.800-53.r5
SI-7(3), NIST.800-53.r5 SI-7(7)
Category: Data protection > Data integrity
Severity: Low
Resource type: AWS::CloudTrail::Trail
AWS Config rule: cloud-trail-log-file-validation-enabled
Schedule type: Periodic
Parameters: None
This control checks whether log file integrity validation is enabled on a
CloudTrail trail.
CloudTrail log file validation creates a digitally signed digest file that
contains a hash of each log that CloudTrail writes to Amazon S3. You can use
these digest files to determine whether a log file was changed, deleted, or
unchanged after CloudTrail delivered the log.
Security Hub recommends that you enable file validation on all trails. Log file
validation provides additional integrity checks of CloudTrail logs.
REMEDIATION
To enable CloudTrail log file validation, see Enabling log file integrity
validation for CloudTrail in the AWS CloudTrail User Guide.
[CLOUDTRAIL.5] CLOUDTRAIL TRAILS SHOULD BE INTEGRATED WITH AMAZON CLOUDWATCH
LOGS
Related requirements: PCI DSS v3.2.1/10.5.3, CIS AWS Foundations Benchmark
v1.2.0/2.4, CIS AWS Foundations Benchmark v1.4.0/3.4, NIST.800-53.r5 AC-2(4),
NIST.800-53.r5 AC-4(26), NIST.800-53.r5 AC-6(9), NIST.800-53.r5 AU-10,
NIST.800-53.r5 AU-12, NIST.800-53.r5 AU-2, NIST.800-53.r5 AU-3, NIST.800-53.r5
AU-6(1), NIST.800-53.r5 AU-6(3), NIST.800-53.r5 AU-6(4), NIST.800-53.r5 AU-6(5),
NIST.800-53.r5 AU-7(1), NIST.800-53.r5 CA-7, NIST.800-53.r5 SC-7(9),
NIST.800-53.r5 SI-20, NIST.800-53.r5 SI-3(8), NIST.800-53.r5 SI-4(20),
NIST.800-53.r5 SI-4(5), NIST.800-53.r5 SI-7(8)
Category: Identify > Logging
Severity: Low
Resource type: AWS::CloudTrail::Trail
AWS Config rule: cloud-trail-cloud-watch-logs-enabled
Schedule type: Periodic
Parameters: None
This control checks whether CloudTrail trails are configured to send logs to
CloudWatch Logs. The control fails if the CloudWatchLogsLogGroupArn property of
the trail is empty.
CloudTrail records AWS API calls that are made in a given account. The recorded
information includes the following:
* The identity of the API caller
* The time of the API call
* The source IP address of the API caller
* The request parameters
* The response elements returned by the AWS service
CloudTrail uses Amazon S3 for log file storage and delivery. You can capture
CloudTrail logs in a specified S3 bucket for long-term analysis. To perform
real-time analysis, you can configure CloudTrail to send logs to CloudWatch
Logs.
For a trail that is enabled in all Regions in an account, CloudTrail sends log
files from all of those Regions to a CloudWatch Logs log group.
Security Hub recommends that you send CloudTrail logs to CloudWatch Logs. Note
that this recommendation is intended to ensure that account activity is
captured, monitored, and appropriately alarmed on. You can use CloudWatch Logs
to set this up with your AWS services. This recommendation does not preclude the
use of a different solution.
Sending CloudTrail logs to CloudWatch Logs facilitates real-time and historic
activity logging based on user, API, resource, and IP address. You can use this
approach to establish alarms and notifications for anomalous or sensitivity
account activity.
REMEDIATION
To integrate CloudTrail with CloudWatch Logs, see Sending events to CloudWatch
Logs in the AWS CloudTrail User Guide.
[CLOUDTRAIL.6] ENSURE THE S3 BUCKET USED TO STORE CLOUDTRAIL LOGS IS NOT
PUBLICLY ACCESSIBLE
Related requirements: CIS AWS Foundations Benchmark v1.2.0/2.3, CIS AWS
Foundations Benchmark v1.4.0/3.3
Category: Identify > Logging
Severity: Critical
Resource type: AWS::CloudTrail::Trail
AWS Config rule: None (custom Security Hub rule)
Schedule type: Periodic and change triggered
CloudTrail logs a record of every API call made in your account. These log files
are stored in an S3 bucket. CIS recommends that the S3 bucket policy, or access
control list (ACL), applied to the S3 bucket that CloudTrail logs to prevents
public access to the CloudTrail logs. Allowing public access to CloudTrail log
content might aid an adversary in identifying weaknesses in the affected
account's use or configuration.
To run this check, Security Hub first uses custom logic to look for the S3
bucket where your CloudTrail logs are stored. It then uses the AWS Config
managed rules to check that bucket is publicly accessible.
If you aggregate your logs into a single centralized S3 bucket, then Security
Hub only runs the check against the account and Region where the centralized S3
bucket is located. For other accounts and Regions, the control status is No
data.
If the bucket is publicly accessible, the check generates a failed finding.
REMEDIATION
To block public access to your CloudTrail S3 bucket, see Configuring block
public access settings for your S3 buckets in the Amazon Simple Storage Service
User Guide. Select all four Amazon S3 Block Public Access Settings.
[CLOUDTRAIL.7] ENSURE S3 BUCKET ACCESS LOGGING IS ENABLED ON THE CLOUDTRAIL S3
BUCKET
Related requirements: CIS AWS Foundations Benchmark v1.2.0/2.6, CIS AWS
Foundations Benchmark v1.4.0/3.6
Category: Identify > Logging
Severity: Low
Resource type: AWS::CloudTrail::Trail
AWS Config rule: None (custom Security Hub rule)
Schedule type: Periodic
S3 bucket access logging generates a log that contains access records for each
request made to your S3 bucket. An access log record contains details about the
request, such as the request type, the resources specified in the request
worked, and the time and date the request was processed.
CIS recommends that you enable bucket access logging on the CloudTrail S3
bucket.
By enabling S3 bucket logging on target S3 buckets, you can capture all events
that might affect objects in a target bucket. Configuring logs to be placed in a
separate bucket enables access to log information, which can be useful in
security and incident response workflows.
To run this check, Security Hub first uses custom logic to look for the bucket
where your CloudTrail logs are stored and then uses the AWS Config managed rule
to check if logging is enabled.
If CloudTrail delivers log files from multiple AWS accounts into a single
destination Amazon S3 bucket, Security Hub evaluates this control only against
the destination bucket in the Region where it's located. This streamlines your
findings. However, you should turn on CloudTrail in all accounts that deliver
logs to the destination bucket. For all accounts except the one that holds the
destination bucket, the control status is No data.
If the bucket is publicly accessible, the check generates a failed finding.
REMEDIATION
To enable server access logging for your CloudTrail S3 bucket, see Enabling
Amazon S3 server access logging in the Amazon Simple Storage Service User Guide.
Javascript is disabled or is unavailable in your browser.
To use the Amazon Web Services Documentation, Javascript must be enabled. Please
refer to your browser's Help pages for instructions.
Document Conventions
CloudFront controls
CloudWatch controls
Did this page help you? - Yes
Thanks for letting us know we're doing a good job!
If you've got a moment, please tell us what we did right so we can do more of
it.
Did this page help you? - No
Thanks for letting us know this page needs work. We're sorry we let you down.
If you've got a moment, please tell us how we can make the documentation better.
DID THIS PAGE HELP YOU?
Yes
No
Provide feedback
NEXT TOPIC:
CloudWatch controls
PREVIOUS TOPIC:
CloudFront controls
NEED HELP?
* Connect with an AWS IQ expert
PrivacySite termsCookie preferences
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved.
ON THIS PAGE
* [CloudTrail.1] CloudTrail should be enabled and configured with at least one
multi-Region trail that includes read and write management events
* [CloudTrail.2] CloudTrail should have encryption at-rest enabled
* [CloudTrail.3] CloudTrail should be enabled
* [CloudTrail.4] CloudTrail log file validation should be enabled
* [CloudTrail.5] CloudTrail trails should be integrated with Amazon CloudWatch
Logs
* [CloudTrail.6] Ensure the S3 bucket used to store CloudTrail logs is not
publicly accessible
* [CloudTrail.7] Ensure S3 bucket access logging is enabled on the CloudTrail
S3 bucket
DID THIS PAGE HELP YOU? - NO
Thanks for letting us know this page needs work. We're sorry we let you down.
If you've got a moment, please tell us how we can make the documentation better.
Feedback