AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
CloudTrails Must Log Management Events
More Info:
Your Amazon CloudTrail trail should be configured to use the appropriated S3 bucket in order to meet regulatory compliance requirements within your organization
Risk Level
Medium
Address
Security
Compliance Standards
SOC2
Triage and Remediation
Remediation
To remediate the misconfiguration “CloudTrails Must Log Management Events” for AWS using the AWS console, follow these steps:
-
Log in to the AWS Management Console and navigate to the CloudTrail service.
-
Select the Trail that you want to modify and click on the “Edit” button.
-
Scroll down to the “Management events” section and ensure that the “Read/Write events” checkbox is selected.
-
Click on the “Save” button to save the changes.
-
Repeat these steps for all the trails that you have configured in your AWS account.
By following these steps, you will ensure that CloudTrail logs all management events, including API calls made by users and services in your AWS account. This will help you to monitor and audit your AWS environment effectively and ensure compliance with your security policies.
To remediate the misconfiguration “CloudTrails Must Log Management Events” for AWS using AWS CLI, follow these steps:
-
Open the AWS CLI on your local machine or on the AWS console.
-
Run the following command to check if CloudTrail is enabled:
aws cloudtrail describe-trails -
If CloudTrail is not enabled, run the following command to create a new trail:
aws cloudtrail create-trail --name <trail-name> --s3-bucket-name <bucket-name> --is-multi-region-trail --enable-log-file-validationReplace
<trail-name>with the name you want to give to your trail and<bucket-name>with the name of the S3 bucket where you want to store your CloudTrail logs. -
Run the following command to update your trail to log management events:
aws cloudtrail update-trail --name <trail-name> --include-global-service-events --is-multi-region-trail -
Finally, run the following command to enable your trail:
aws cloudtrail start-logging --name <trail-name>This will start logging management events to your CloudTrail trail.
After following these steps, your CloudTrail will be enabled and configured to log management events.
To remediate the misconfiguration “CloudTrails Must Log Management Events” in AWS, you can use the following steps:
-
Open the AWS Management Console and navigate to the CloudTrail service.
-
Select the trail that you want to modify and click on the “Edit” button.
-
In the “Management events” section, ensure that “Read/Write events” and “Data events” are selected.
-
If “Data events” is not selected, click on the “Add data event” button and select the data events that you want to log.
-
If you want to log all data events, select the “All data events” option.
-
Click on the “Save” button to save the changes.
-
Now, you can use the AWS SDK for Python (Boto3) to automate the remediation process. Here is the Python code to remediate the misconfiguration:
import boto3
# Initialize the CloudTrail client
cloudtrail = boto3.client('cloudtrail')
# Get the trail name
trail_name = 'your-trail-name'
# Update the trail to log management events
response = cloudtrail.update_trail(
Name=trail_name,
IncludeManagementEvents=True
)
# Print the response
print(response)
This code will update the specified trail to log management events. You can run this code for each trail that needs to be remediated.