Best practice rules for AWS CloudTrail
Trend Micro Cloud One™ – Conformity monitors AWS CloudTrail with the following rules:
- AWS CloudTrail Configuration Changes
CloudTrail configuration changes have been detected within your Amazon Web Services account.
- Avoid Duplicate Entries in Amazon CloudTrail Logs
Ensure that AWS CloudTrail trails aren't duplicating global service events in their aggregated log files
- Check for Missing SNS Topic within Trail Configuration
Ensure that your CloudTrail trails are using active Amazon SNS topics.
- CloudTrail Bucket MFA Delete Enabled
Ensure CloudTrail logging bucket has a MFA-Delete policy to prevent deletion of logs without an MFA token
- CloudTrail Data Events
Ensure CloudTrail trails are configured to log Data events.
- CloudTrail Delivery Failing
Ensure Amazon CloudTrail trail log files are delivered as expected.
- CloudTrail Enabled
Ensure CloudTrail is enabled in all regions.
- CloudTrail Global Services Enabled
Ensure CloudTrail records events for global services such as IAM or AWS STS.
- CloudTrail Integrated With CloudWatch
Ensure CloudTrail trails are integrated with CloudWatch Logs.
- CloudTrail Log File Integrity Validation
Ensure CloudTrail log file validation is enabled
- CloudTrail Logs Encrypted
Ensure CloudTrail logs are encrypted at rest using KMS CMKs.
- CloudTrail Management Events
Ensure management events are included into AWS CloudTrail trails configuration.
- CloudTrail S3 Bucket
Ensure that AWS CloudTrail trail uses the designated Amazon S3 bucket.
- CloudTrail S3 Bucket Logging Enabled
Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket.
- Enable Object Lock for CloudTrail S3 Buckets
Ensure that the CloudTrail buckets are using Object Lock for data protection and compliance.
- Publicly Accessible CloudTrail Buckets
Ensure that your CloudTrail trail buckets are not publicly accessible.