Check for Missing SNS Topic within Trail Configuration

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: Medium (should be achieved)

Ensure that your Amazon CloudTrail trails are configured to use active Simple Notification Service (SNS) topics in order to receive a notification for every log file delivery made to the associated (target) bucket.

Operational
excellence

When your CloudTrail trails are not referencing active SNS topics anymore, the cloud service can't send notifications each time Amazon CloudTrail publishes new log files to the associated S3 bucket, therefore you lose the ability to take immediate actions based on the log information received from Amazon CloudTrail.


Audit

To identify CloudTrail trails that are missing the capability to send notifications on log file delivery due to inactive SNS topics, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon CloudTrail console at https://console.aws.amazon.com/cloudtrail/.

03 In the navigation panel, under CloudTrail, choose Trails.

04 Click on the name (link) of the Amazon CloudTrail trail that you want to examine.

05 In the General details section, choose Edit and copy the name of the associated SNS topic available in the SNS topic box.

06 Navigate to Amazon SNS console at https://console.aws.amazon.com/sns/.

07 In the navigation panel, under Amazon SNS, choose Topics.
Paste the name of the topic copied at step no. 5 in the Search box to return the SNS topic configured for the selected trail. If no results are returned, the associated SNS topic has been deleted, therefore the selected Amazon CloudTrail trail is not able to send a notification each time a log file is delivered to the designated S3 bucket.

08 Repeat steps no. 4 – 7 for each Amazon CloudTrail trail created for your AWS cloud account.

Using AWS CLI

01 Run list-trails command (OSX/Linux/UNIX) with custom query filters to list the names of all the Amazon CloudTrail trails created for your AWS cloud account:

aws cloudtrail list-trails
  --region us-east-1
  --query 'Trails[*].Name'

02 The command output should return an array with the requested CloudTrail trail names:

[
  "cc-main-cloud-trail",
  "cc-project5-api-trail",
  "cc-data-events-trail"
]

03 Run describe-trails command (OSX/Linux/UNIX) using the name of the Amazon CloudTrail trail that you want to examine as the identifier parameter and custom query filters to describe the Amazon Resource Name (ARN) of the SNS topic associated with the selected trail:

aws cloudtrail describe-trails
  --region us-east-1
  --trail-name-list cc-main-cloud-trail
  --query 'trailList[*].SnsTopicName'

04 The command output should return the name of the associated SNS topic:

[
  "arn:aws:sns:us-east-1:123456789012:cc-cloudtrail-log-sns-topic"
]

05 Run get-topic-attributes command (OSX/Linux/UNIX) using the topic ARN returned at the previous step as the identifier parameter to describe the configuration information available for the selected SNS topic:

aws sns get-topic-attributes
  --region us-east-1
  --topic-arn "arn:aws:sns:us-east-1:981005872766:cc-cloudtrail-log-sns-topic

06 The command output should return the requested configuration information:

An error occurred (NotFound) when calling the GetTopicAttributes operation: Topic does not exist

If the get-topic-attributes command output responds with an NotFound error message, as shown in the example above, the associated SNS topic has been deleted, therefore the selected Amazon CloudTrail trail is not able to send a notification each time a log file is delivered to the designated (target) S3 bucket.

07 Repeat steps no. 3 – 6 for each Amazon CloudTrail trail created for your AWS cloud account.

Remediation / Resolution

To reconfigure any Amazon CloudTrail trails associated with missing SNS topics, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon CloudTrail console at https://console.aws.amazon.com/cloudtrail/

03 In the navigation panel, under CloudTrail, choose Trails.

04 Click on the name (link) of the Amazon CloudTrail trail that you want to reconfigure.

05 In the General details section, choose Edit and perform the following operations:

  1. Select New under Create a new SNS topic to create a new Amazon SNS topic and associate it with the selected trail.
  2. Provide a unique name for the new topic in the SNS topic box.
  3. Choose Save changes to apply the changes. The new Amazon SNS topic will get permissions to receive notifications whenever a trail log file is delivered to the target S3 bucket.

06 Navigate to Amazon SNS console at https://console.aws.amazon.com/sns/.

07 In the navigation panel, under Amazon SNS, choose Topics.

08 Click on the name of the SNS topic created at step no. 5, select the Subscriptions tab, and choose Create subscription.

09 On the Create subscription setup page, select Email from the Protocol dropdown list, provide the email address where you want to receive trail log notifications in the Endpoint box, then choose Create subscription to apply the new subscription to the selected Amazon SNS topic.

10 Use your preferred email client to open the subscription message from the AWS Notifications, then click on the appropriate link to confirm your SNS subscription.

11 Repeat steps no. 4 – 10 to reconfigure other Amazon CloudTrail trails with missing SNS topics, available within your AWS cloud account.

Using AWS CLI

01 Run create-topic command (OSX/Linux/UNIX) to create the Amazon SNS topic required to replace the missing SNS topic associated with your CloudTrail trail(s):

aws sns create-topic
  --region us-east-1
  --name cc-cloud-trail-sns-topic

02 The command output should return the Amazon Resource Name (ARN) of the newly created SNS topic:

{
  "TopicArn": "arn:aws:sns:us-east-1:123456789012:cc-cloud-trail-sns-topic"
}

03 Run subscribe command (OSX/Linux/UNIX) to subscribe to the Amazon SNS topic created at the previous step using one or more email addresses as subscription endpoints:

aws sns subscribe
  --region us-east-1
  --topic-arn arn:aws:sns:us-east-1:123456789012:cc-cloud-trail-sns-topic
  --protocol email
  --notification-endpoint alert@cloudconformity.com
  --return-subscription-arn

04 The command output should return the ARN of the new SNS subscription:

{
  "SubscriptionArn": "arn:aws:sns:us-east-1:123456789012:cc-cloud-trail-sns-topic:abcdabcd-1234-abcd-1234-abcd1234abcd"
}

05 Run confirm-subscription command (OSX/Linux/UNIX) to confirm the new SNS subscription by validating the token sent to the subscription endpoint (i.e. your email address) specified at the previous step (the command should not produce an output):

aws sns confirm-subscription
  --region us-east-1
  --topic-arn arn:aws:sns:us-east-1:123456789012:cc-cloud-trail-sns-topic
  --token 3468392f37fb687f5d51e6e241d7700ae02f7124d8268910b858cb4db727ceeb2474bb937929d3bdd7ce5d0cce19325d036bca58d3c217426bcafa9c501a2cac5646456gf1dd3797627467553dc438a8c974119496fc3eff026eaa5d15578ded6f9a5c43aec62d83ef5f49109da730567

06 Run update-trail command (OSX/Linux/UNIX) using the name of the Amazon CloudTrail trail that you want to reconfigure as the identifier parameter, to reconfigure the selected trail by attaching the newly created SNS topic:

aws cloudtrail update-trail
  --region us-east-1
  --name cc-main-cloud-trail
  --sns-topic-name cc-cloud-trail-sns-topic

07 The command output should return the metadata available for the reconfigured trail:

{
  "IncludeGlobalServiceEvents": true,
  "IsOrganizationTrail": false,
  "Name": "cc-main-cloud-trail",
  "TrailARN": "arn:aws:cloudtrail:us-east-1:123456789012:trail/cc-main-cloud-trail",
  "LogFileValidationEnabled": false,
  "SnsTopicARN": "arn:aws:sns:us-east-1:123456789012:cc-cloud-trail-sns-topic",
  "IsMultiRegionTrail": true,
  "S3BucketName": "aws-cloudtrail-log-bucket",
  "SnsTopicName": "cc-cloud-trail-sns-topic"
}

08 Repeat steps no. 1 – 7 to reconfigure other Amazon CloudTrail trails with missing SNS topics, available in your AWS cloud account.

References

Publication date Apr 24, 2016

Unlock the Remediation Steps


Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

Confirmity Cloud Platform

No thanks, back to article

You are auditing:

Check for Missing SNS Topic within Trail Configuration

Risk level: Medium