More Info:

All AWS CloudTrail configuration changes should be monitored using CloudWatch alarms.

Risk Level

Medium

Address

Security

Compliance Standards

CISAWSF, PCI, GDPR, APRA, MAS, NIST4, SOC2, HIPAA, ISO27001, NISTCSF

Triage and Remediation

Remediation

Using Console

Here are the step-by-step instructions to remediate the CloudTrail Changes Alarm misconfiguration in AWS using the AWS console:
  1. Sign in to your AWS account and navigate to the CloudWatch service.
  2. In the left-hand menu, select “Logs”.
  3. Select the log group created for your CloudTrail trail event logs and click on the “Create Metric Filter” button.
  4. On the Define Logs Metric Filter page, in the Filter Pattern box, enter the following pattern:
{ ($.eventName = CreateTrail) || ($.eventName = UpdateTrail) || ($.eventName = DeleteTrail) || ($.eventName = StartLogging) || ($.eventName = StopLogging) }This pattern monitors CloudTrail for changes like creating, updating, or deleting trails.
  1. Review the metric filter details and click Assign Metric.
  2. On the next page, provide the following details:
    • Filter Name: Enter a name like AWSCloudTrailChanges.
    • Metric Namespace: Enter CloudTrailMetrics.
    • Metric Name: Enter CloudTrailEventCount.
    • Click Show advanced metric settings, and in the Metric Value box, enter 1.
  3. Review the details and click Create Filter.
  4. Now, click Create Alarm for the filter created in the previous step.
  5. In the Create Alarm dialog, configure the following:
    • Alarm Name: Enter CloudTrail Changes.
    • Threshold: Set the threshold value to 1 (greater than or equal to 1).
    • Actions: Click the + Notification button, select State is ALARM, and choose an SNS topic for notifications.
    • Period: Select 5 Minutes from the dropdown.
    • Statistic: Set to Sum.
  6. Review the configuration and click Create Alarm to finalize.
That’s it! You have successfully remediated the CloudTrail Changes Alarm misconfiguration in AWS using the AWS console.

The CloudTrail Changes Alarm monitors changes in CloudTrail configuration. Here are the steps to set up the alarm using AWS CLI:
  1. Run the following command to create a CloudWatch metric filter and associate it with the CloudTrail log group:
aws logs put-metric-filter
    --region us-east-1
    --log-group-name CloudTrail/MyCloudTrailLG
    --filter-name AWSCloudTrailChanges
    --filter-pattern '{ ($.eventName = CreateTrail) || ($.eventName = UpdateTrail) || ($.eventName = DeleteTrail) || ($.eventName = StartLogging) || ($.eventName = StopLogging) }'
    --metric-transformations metricName=CloudTrailEventCount,metricNamespace=CloudTrailMetrics,metricValue=1
  1. Use the following command to create a CloudWatch alarm triggered by changes to CloudTrail:
aws cloudwatch put-metric-alarm
    --region us-east-1
    --alarm-name "CloudTrail Changes"
    --alarm-description "Triggered by AWS CloudTrail configuration changes."
    --metric-name CloudTrailEventCount
    --namespace CloudTrailMetrics
    --statistic Sum
    --comparison-operator GreaterThanOrEqualToThreshold
    --evaluation-periods 1
    --period 300
    --threshold 1
    --actions-enabled
    --alarm-actions arn:aws:sns:us-east-1:123456789012
These commands set up the CloudWatch alarm to monitor CloudTrail configuration changes using AWS CLI.

To remediate the CloudTrail Changes Alarm misconfiguration using Python, we can use the AWS SDK for Python (boto3) to automate both the CloudTrail and CloudWatch configurations. Here’s a sample code:
import boto3

# Enable CloudWatch Logs for CloudTrail
def enable_cloudtrail_logs(trail_name, log_group_arn, role_arn):
 client = boto3.client('cloudtrail')
 response = client.update_trail(
     Name=trail_name,
     CloudWatchLogsLogGroupArn=log_group_arn,
     CloudWatchLogsRoleArn=role_arn
 )
 return response

# Create or update a CloudWatch alarm
def create_cloudtrail_alarm(alarm_name, metric_name, sns_topic_arn):
 client = boto3.client('cloudwatch')
 response = client.put_metric_alarm(
     AlarmName=alarm_name,
     MetricName=metric_name,
     Namespace='CloudTrailMetrics',
     Statistic='Sum',
     Period=300,
     EvaluationPeriods=1,
     Threshold=1,
     ComparisonOperator='GreaterThanOrEqualToThreshold',
     AlarmActions=[sns_topic_arn],
     OKActions=[sns_topic_arn],
     Dimensions=[
         {
             'Name': 'TrailName',
             'Value': 'my-trail'
         }
     ]
 )
 return response

# Usage example:
enable_cloudtrail_logs(
 trail_name='my-trail',
 log_group_arn='arn:aws:logs:us-east-1:123456789012:log-group:/aws/cloudtrail/my-trail',
 role_arn='arn:aws:iam::123456789012:role/MyCloudTrailRole'
)

create_cloudtrail_alarm(
 alarm_name='CloudTrail Changes',
 metric_name='CloudTrailEventCount',
 sns_topic_arn='arn:aws:sns:us-east-1:123456789012:my-sns-topic'
)
This script enables CloudWatch logs for your CloudTrail and sets up a CloudWatch alarm for tracking changes to your CloudTrail configurations.

Additional Reading: