Best practice rules for AWS CloudTrail
Trend Micro Cloud One™ – Conformity monitors AWS CloudTrail with the following rules:
- AWS CloudTrail Configuration Changes
CloudTrail configuration changes have been detected within your Amazon Web Services account.
- Avoid Duplicate Entries in Amazon CloudTrail Logs
Ensure that AWS CloudTrail trails are not duplicating global service events in their aggregated log files."
- Check for Missing SNS Topic within Trail Configuration
Ensure that your CloudTrail trails are using active Amazon SNS topics.
- CloudTrail Bucket MFA Delete Enabled
Ensure AWS CloudTrail logging bucket has MFA Delete feature enabled.
- CloudTrail Bucket Publicly Accessible
Ensure CloudTrail trail logging buckets are not publicly accessible.
- CloudTrail Data Events
Ensure Data events are included into Amazon CloudTrail trails configuration.
- CloudTrail Delivery Failing
Ensure Amazon CloudTrail trail log files are delivered as expected.
- CloudTrail Enabled
Ensure AWS CloudTrail trails are enabled for all AWS regions.
- CloudTrail Global Services Enabled
Ensure that CloudTrail trails record API calls for global services such as IAM, STS, and CloudFront.
- CloudTrail Log File Integrity Validation
Ensure your AWS CloudTrail trails have log file integrity validation enabled.
- CloudTrail Logs Encrypted
Ensure your AWS CloudTrail logs are encrypted using AWS KMS–Managed Keys (SSE-KMS).
- CloudTrail Management Events
Ensure management events are included into AWS CloudTrail trails configuration.
- CloudTrail S3 Bucket
Ensure that AWS CloudTrail trail uses the designated Amazon S3 bucket.
- CloudTrail S3 Bucket Logging Enabled
Ensure AWS CloudTrail buckets have server access logging enabled.
- Enable Integration with Amazon CloudWatch
Ensure that Amazon CloudTrail event monitoring with CloudWatch is enabled.
- Enable Object Lock for CloudTrail S3 Buckets
Ensure that the CloudTrail buckets are using Object Lock for data protection and compliance.