CloudTrail Management Events

Risk Level: Medium (should be achieved)

Rule ID: CT-010

Ensure that your Amazon CloudTrail trails are configured to log management events in order to record important operations such as EC2 "RunInstances", "DescribeInstances", "TerminateInstances", and console events (basically all events that are not data events).

This rule can help you with the following compliance standards:

GDPR
APRA
MAS
NIST4

For further details on compliance standards supported by TrendAI Vision One™ Cloud Risk Management, see here.

This rule can help you work with the AWS Well-Architected Framework.

Security

Management events are operations that occur when working with AWS cloud resources, therefore recording this kind of events is a good security practice. For example, if an IAM user within your organization terminates an Amazon EC2 instance that has a crucial role within your application stack, the instance is lost completely, the "TerminateInstances" event is not recorded, and there is no way for the account administrator to determine who terminated the instance by analyzing the trail logs.

Audit

To identify any CloudTrail trails that are missing the capability to log management events, perform the following operations:

Using AWS Console

Sign in to the AWS Management Console.
Navigate to Amazon CloudTrail console at https://console.aws.amazon.com/cloudtrail/.
In the navigation panel, under CloudTrail, choose Trails.
Click on the name (link) of the Amazon CloudTrail trail that you want to examine.
In the Management events section, check the API activity attribute value. If the API activity attribute is not listed in the Management events section and the following message is displayed: Management events are not configured for this trail, the selected Amazon CloudTrail trail is not configured to capture management operations performed on your AWS cloud resources.
Repeat steps no. 4 and 5 for each Amazon CloudTrail trail created for your AWS cloud account.

Using AWS CLI

Run list-trails command (OSX/Linux/UNIX) with custom query filters to list the names of all the Amazon CloudTrail trails created for your AWS cloud account:
```
aws cloudtrail list-trails
  --region us-east-1
  --query 'Trails[*].Name'
```
The command output should return an array with the requested CloudTrail trail names:
```
[
    "cc-main-cloud-trail",
    "cc-project5-api-trail"
]
```
Run get-event-selectors command (OSX/Linux/UNIX) using the name of the Amazon CloudTrail trail that you want to examine as the identifier parameter and custom query filters to determine if the selected CloudTrail trail is configured to record management events:
```
aws cloudtrail get-event-selectors
  --region us-east-1
  --trail-name cc-main-cloud-trail
  --query 'EventSelectors[*].IncludeManagementEvents'
```
The command output should return the requested feature status (true for enabled, false for disabled):
```
[
    false
]
```
If the value returned by the get-event-selectors command output is false, the selected Amazon CloudTrail trail is not configured to capture management operations performed on your AWS cloud resources, therefore important events such as RunInstances, DescribeInstances and TerminateInstances are not recorded.
Repeat steps no. 3 and 4 for each Amazon CloudTrail trail available within your AWS cloud account.

Remediation / Resolution

To enable management events for your existing Amazon CloudTrail trails, perform the following operations:

Using AWS CloudFormation

CloudFormation template (JSON):

{
				"AWSTemplateFormatVersion": "2010-09-09",
				"Description": "Enable Management Events that record both Read and Write API Operations",
				"Parameters": {
					"TrailName": {
						"Type": "String"
					},
					"BucketName": {
						"Type": "String"
					},
					"S3BucketKeyPrefix": {
						"Type": "String"
					}
				},
				"Resources": {
					"Trail": {
						"Type": "AWS::CloudTrail::Trail",
						"Properties": {
							"TrailName": {
								"Ref": "TrailName"
							},
							"S3BucketName": {
								"Ref": "BucketName"
							},
							"S3KeyPrefix": {
								"Ref": "S3BucketKeyPrefix"
							},
							"IsLogging": true,
							"EventSelectors": [
								{
									"DataResources": [
										{
											"Type": "AWS::S3::Object",
											"Values": ["arn:aws:s3"],
										}
									],
									"IncludeManagementEvents": true,
									"ReadWriteType": "All",
								}
							]
						}
					}
				}
}

CloudFormation template (YAML):

AWSTemplateFormatVersion: '2010-09-09'
Description: Enable Management Events that record both Read and Write API Operations
Parameters:
				TrailName:
				Type: String
				BucketName:
				Type: String
				S3BucketKeyPrefix:
				Type: String
Resources:
				Trail:
				Type: AWS::CloudTrail::Trail
				Properties:
				TrailName: !Ref 'TrailName'
				S3BucketName: !Ref 'BucketName'
				S3KeyPrefix: !Ref 'S3BucketKeyPrefix'
				IsLogging: true
				EventSelectors:
					- DataResources:
						- Type: AWS::S3::Object
						Values:
							- arn:aws:s3
					IncludeManagementEvents: true
					ReadWriteType: All

Using Terraform (AWS Provider)

Terraform configuration file (.tf):

terraform {
				required_providers {
				aws = {
				source  = "hashicorp/aws"
				version = "~> 3.27"
				}
				}

				required_version = ">= 0.14.9"
}

provider "aws" {
				profile = "default"
				region  = "us-east-1"
}

data "aws_caller_identity" "current-account" {}

resource "aws_s3_bucket" "trail-s3-bucket" {

				bucket        = "cc-main-cloudtrail-bucket"
				force_destroy = true
				policy = <<POLICY
				{
				"Version": "2012-10-17",
				"Statement": [
					{
						"Sid": "AWSCloudTrailAclCheck",
						"Effect": "Allow",
						"Principal": {
							"Service": "cloudtrail.amazonaws.com"
						},
						"Action": "s3:GetBucketAcl",
						"Resource": "arn:aws:s3:::cc-main-cloudtrail-bucket"
					},
					{
						"Sid": "AWSCloudTrailWrite",
						"Effect": "Allow",
						"Principal": {
							"Service": "cloudtrail.amazonaws.com"
						},
						"Action": "s3:PutObject",
						"Resource": "arn:aws:s3:::cc-main-cloudtrail-bucket/cc-trail-logs/AWSLogs/${data.aws_caller_identity.current-account.account_id}/*",
						"Condition": {
							"StringEquals": {
								"s3:x-amz-acl": "bucket-owner-full-control"
							}
						}
					}
				]
				}
				POLICY

}

resource "aws_cloudtrail" "cloudtrail-trail" {

				name                          = "cc-main-cloud-trail"
				s3_bucket_name                = aws_s3_bucket.trail-s3-bucket.id
				s3_key_prefix                 = "cc-trail-logs"
				enable_logging                = true

				# Enable Management Events that record both Read and Write API Operations
				event_selector {
				read_write_type           = "All"
				data_resource {
				type   = "AWS::S3::Object"
				values = ["arn:aws:s3"]
				}
				include_management_events = true
				}

}

Using AWS Console

Sign in to the AWS Management Console.
Navigate to Amazon CloudTrail console at https://console.aws.amazon.com/cloudtrail/.
In the navigation panel, under CloudTrail, choose Trails.
Click on the name (link) of the Amazon CloudTrail trail that you want to reconfigure.
Choose Edit from the Management events section to change the trail configuration settings.
On the Edit trail configuration page, perform the following actions:
1. In the Events section, select Management events under Event type to enable recording management operations performed on your AWS resources.
2. In the Management events section, under API activity, choose the activities you want to log. Select Read to record read-only events (i.e. API operations that read your AWS cloud resources but don't make changes, such as DescribeSecurityGroups and DescribeSubnets API operations). Select Write to record write-only events (i.e. API operations that change or might change your AWS resources, such as RunInstances and TerminateInstances API operations). Choose both Read and Write if you want your CloudTrail trail to log all API operations.
3. (Optional) Choose Exclude AWS KMS events to exclude Amazon Key Management Service (KMS) events from your trail. By default, all KMS events are logged.
4. (Optional) Choose Exclude Amazon RDS Data API events to filter Amazon RDS Data API events out of your trail. The default setting is to include all Amazon RDS Data API events.
5. Choose Save changes to apply the changes.
Repeat steps no. 4 – 6 for each Amazon CloudTrail trail that you want to reconfigure, created for your AWS cloud account.

Using AWS CLI

Run put-event-selectors command (OSX/Linux/UNIX) using the name of the Amazon CloudTrail trail that you want to reconfigure as the identifier parameter, to enable management events that record both read and write API operations (i.e. All option) for the selected trail:
```
aws cloudtrail put-event-selectors
  --region us-east-1
  --trail-name cc-main-cloud-trail
  --event-selectors '[{ "ReadWriteType": "All", "IncludeManagementEvents":true, "DataResources": [{ "Type": "AWS::S3::Object", "Values": ["arn:aws:s3"] }] }]'
```

The command output should return the event selector metadata for the selected trail:

{
    "EventSelectors": [
        {
            "ExcludeManagementEventSources": [],
            "IncludeManagementEvents": true,
            "DataResources": [
                {
                    "Values": [
                        "arn:aws:s3"
                    ],
                    "Type": "AWS::S3::Object"
                }
            ],
            "ReadWriteType": "All"
        }
    ],
    "TrailARN": "arn:aws:cloudtrail:us-east-1:123456789012:trail/cc-main-cloud-trail"
}

Repeat steps no. 1 and 2 for each Amazon CloudTrail trail that you want to reconfigure, available within your AWS cloud account.

References

AWS Command Line Interface (CLI) Documentation
cloudtrail
list-trails
get-event-selectors
put-event-selectors

CloudFormation Documentation
AWS CloudTrail resource type reference

Terraform Documentation
AWS Provider

Publication date Oct 15, 2017

Audit

Using AWS Console

Using AWS CLI

Remediation / Resolution

Using AWS CloudFormation

Using Terraform (AWS Provider)

Using AWS Console

Using AWS CLI

References

Related CloudTrail rules