Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in TrendAI Vision One™ Cloud Risk Management. For details, please refer to Upgrade to TrendAI Vision One™
Logo of TrendAI
Use the Knowledge Base AI to help improve your Cloud Posture

CloudTrail Global Services Enabled

TrendAI Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1400 automated best practice checks.

Risk Level: High (act today)
Rule ID: CT-005

Ensure that your Amazon CloudTrail trails are recording both regional and global events in order to increase the visibility of the API activity in your AWS cloud account for security and management purposes.

This rule can help you with the following compliance standards:

  • PCI
  • GDPR
  • APRA
  • MAS
  • NIST4

For further details on compliance standards supported by TrendAI Vision One™ Cloud Risk Management, see here.

This rule can help you work with the AWS Well-Architected Framework.

Security

Enabling API activity monitoring for global AWS services that are not region-specific such as Amazon IAM, STS, and CloudFront allows full visibility over all your AWS cloud services. Having CloudTrail logging enabled for both regional and global AWS services would help you to demonstrate compliance and troubleshoot operational or security issues within your AWS cloud account.

Audit

To determine if your Amazon CloudTrail trails record API calls for AWS global services, perform the following actions:

Note: Checking CloudTrail trail support for AWS global services using the AWS Management Console is no longer supported. By default, CloudTrail trails created via the AWS Management Console will have global service events enabled. It is recommended that you only have one trail allocated to global service events per account to reduce duplicate events.

Using AWS CLI

  1. Run list-trails command (OSX/Linux/UNIX) with custom query filters to list the names of all the Amazon CloudTrail trails created for your AWS cloud account:

    aws cloudtrail list-trails
  --region us-east-1
  --query 'Trails[*].Name'

  2. The command output should return an array with the requested CloudTrail trail names:

    [
	"cc-project5-api-trail",
	"cc-data-events-trail"
]

  3. Run describe-trails command (OSX/Linux/UNIX) using the name of the Amazon CloudTrail trail that you want to examine as the identifier parameter and custom query filters to determine if the selected trail records API calls for AWS global services such as Amazon IAM:

    aws cloudtrail describe-trails
  --region us-east-1
  --trail-name-list cc-project5-api-trail
  --query 'trailList[*].IncludeGlobalServiceEvents'

  4. The command output should return the requested feature status (true for enabled, false for disabled):

    [
	false
]

    If the describe-trails command output returns false, as shown in the example above, the selected Amazon CloudTrail trail is not configured to record API calls for AWS global services.

  5. Repeat steps no. 3 and 4 for each Amazon CloudTrail trail available within your AWS cloud account.

Remediation / Resolution

To enable API logging for AWS global services within your Amazon CloudTrail trail configuration, perform the following actions:

Note: Enabling CloudTrail trail support for AWS global services using the AWS Management Console is no longer supported. By default, CloudTrail trails created via the AWS Management Console will have global service events enabled. It is recommended that you only have one trail allocated to global service events per account in order to reduce duplicate events.

Using AWS CloudFormation

  1. CloudFormation template (JSON):

    {
	"AWSTemplateFormatVersion": "2010-09-09",
	"Parameters": {
		"CloudTrailName": {
			"Type": "String"
		},
		"CloudTrailBucketName": {
			"Type": "String"
		},
		"CloudTrailBucketPrefix": {
			"Type": "String"
		}
	},
	"Resources": {
		"CloudTrail": {
			"Type": "AWS::CloudTrail::Trail",
			"Properties": {
				"TrailName": {
					"Ref": "CloudTrailName"
				},
				"S3BucketName": {
					"Ref": "CloudTrailBucketName"
				},
				"S3KeyPrefix": {
					"Ref": "CloudTrailBucketPrefix"
				},
				"EventSelectors": [
					{
						"DataResources": [
							{
								"Type": "AWS::S3::Object",
								"Values": [
									"arn:aws:s3"
								]
							}
						],
						"ReadWriteType": "All",
						"IncludeManagementEvents": true
					}
				],
				"IsLogging": true,
				"IsMultiRegionTrail": true,
				"IncludeGlobalServiceEvents": true
			}
		}
	}
}

  2. CloudFormation template (YAML):

    AWSTemplateFormatVersion: '2010-09-09'
	Parameters:
	CloudTrailName:
		Type: String
	CloudTrailBucketName:
		Type: String
	CloudTrailBucketPrefix:
		Type: String
	Resources:
	CloudTrail:
		Type: AWS::CloudTrail::Trail
		Properties:
		TrailName: !Ref 'CloudTrailName'
		S3BucketName: !Ref 'CloudTrailBucketName'
		S3KeyPrefix: !Ref 'CloudTrailBucketPrefix'
		EventSelectors:
			- DataResources:
				- Type: AWS::S3::Object
				Values:
					- arn:aws:s3
			ReadWriteType: All
			IncludeManagementEvents: true
		IsLogging: true
		IsMultiRegionTrail: true
		IncludeGlobalServiceEvents: true

Using Terraform (AWS Provider)

  1. Terraform configuration file (.tf):

    terraform {
	required_providers {
		aws = {
			source  = "hashicorp/aws"
			version = "~> 4.0"
		}
	}

	required_version = ">= 0.14.9"
}

provider "aws" {
	profile = "default"
	region  = "us-east-1"
}

resource "aws_cloudtrail" "aws-cloudtrail-trail" {
	name           = "cc-project5-api-trail"
	s3_bucket_name = "cc-project5-trail-bucket"
	s3_key_prefix  = "trail-logs"
	event_selector {
		data_resource {
			type   = "AWS::S3::Object"
			values = ["arn:aws:s3"]
		}
		read_write_type            = "All"
		include_management_events  = true
	}
	enable_logging                = true
	is_multi_region_trail         = true
	include_global_service_events = true
}

Using AWS CLI

  1. Run update-trail command (OSX/Linux/UNIX) using the name of the Amazon CloudTrail trail that you want to reconfigure as the identifier parameter, to enable CloudTrail API logging for AWS global services such as Amazon IAM and Amazon CloudFront. To avoid receiving duplicate global service events, make sure that the global service events are delivered to only one of your trails:

    aws cloudtrail update-trail
  --region us-east-1
  --name cc-project5-api-trail
  --include-global-service-events

  2. The command output should return the metadata available for the reconfigured trail:

    {
	"IncludeGlobalServiceEvents": true,
	"IsOrganizationTrail": false,
	"Name": "cc-project5-api-trail",
	"TrailARN": "arn:aws:cloudtrail:us-east-1:123456789012:trail/cc-project5-api-trail",
	"LogFileValidationEnabled": false,
	"IsMultiRegionTrail": true,
	"S3BucketName": "cc-project5-cloudtrail-logs"
}

  3. Repeat steps no. 1 and 2 for each Amazon CloudTrail trail that you want to reconfigure, available in your AWS cloud account.

References

Publication date Apr 12, 2016

Related CloudTrail rules