AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
CloudTrails Must Log Management Events
More Info:
All your AWS CloudTrail trails should be configured to log Management events in order to record important operations such as EC2 RunInstances, DescribeInstances, TerminateInstances and Console Login.
Risk Level
Medium
Address
Security
Compliance Standards
SOC2, NIST, GDPR, HIPAA, ISO27001, AWSWAF
Triage and Remediation
Remediation
Sure, here are the step-by-step instructions to remediate the “CloudTrails Must Log Management Events” misconfiguration for AWS:
-
Open the AWS Management Console and navigate to the CloudTrail service.
-
Click on the Trails option in the left-hand menu.
-
Select the trail that you want to modify and click on the Edit button.
-
Scroll down to the Management events section.
-
Enable the Log management events toggle switch.
-
Choose the S3 bucket where you want to store the logs.
-
Select the SNS topic (optional) to receive notifications.
-
Click on the Save button to save the changes.
Once you complete these steps, CloudTrail will start logging management events to the specified S3 bucket. This will help you to monitor and track all the changes made to your AWS account, including changes made to IAM users, roles, policies, security groups, and more.
To remediate the “CloudTrails Must Log Management Events” misconfiguration in AWS using AWS CLI, follow the below steps:
- Open the AWS CLI on your local machine or EC2 instance.
- Run the following command to check if CloudTrail is enabled:
aws cloudtrail describe-trails
- If CloudTrail is not enabled, run the following command to create a new trail:
aws cloudtrail create-trail --name <trail-name> --s3-bucket-name <bucket-name> --is-multi-region-trail --include-global-service-events
Replace <trail-name> with the name of the trail you want to create and <bucket-name> with the name of the S3 bucket where you want to store your CloudTrail logs.
- If CloudTrail is already enabled, run the following command to update the trail to log management events:
aws cloudtrail update-trail --name <trail-name> --enable-log-file-validation --include-global-service-events --is-multi-region-trail --is-organization-trail
Replace <trail-name> with the name of the trail you want to update.
- Verify that management events are being logged by running the following command:
aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=CreateTrail
This command will return a list of events related to creating a trail, which confirms that management events are being logged.
By following these steps, you will successfully remediate the “CloudTrails Must Log Management Events” misconfiguration in AWS using AWS CLI.
To remediate the “CloudTrails must log management events” misconfiguration in AWS, you can use the following Python code:
- First, you need to enable CloudTrail in your AWS account if it is not already enabled. You can do this by using the following Python code:
import boto3
# Create a CloudTrail client
cloudtrail = boto3.client('cloudtrail')
# Create a trail
response = cloudtrail.create_trail(
Name='my-trail',
S3BucketName='my-bucket',
IsMultiRegionTrail=True,
IncludeGlobalServiceEvents=True,
)
# Enable the trail
cloudtrail.start_logging(Name='my-trail')
Replace my-trail with the name of your CloudTrail trail and my-bucket with the name of your S3 bucket where you want to store the logs.
- Once you have enabled CloudTrail, you need to ensure that it is logging management events. You can do this by using the following Python code:
import boto3
# Create a CloudTrail client
cloudtrail = boto3.client('cloudtrail')
# Get the current trail configuration
response = cloudtrail.get_trail_status(Name='my-trail')
# Check if management events are being logged
if not response['IsLogging']:
print('Management events are not being logged')
# Update the trail to log management events
response = cloudtrail.update_trail(
Name='my-trail',
IncludeGlobalServiceEvents=True,
)
# Start logging
cloudtrail.start_logging(Name='my-trail')
print('Management events are now being logged')
else:
print('Management events are being logged')
This code will check if management events are being logged in your CloudTrail trail. If they are not being logged, it will update the trail configuration to include management events and start logging them.
Note: Make sure that you have appropriate permissions to create and update CloudTrail trails and to start and stop logging.