Open menu
-->

AWS CloudTrail Best Practices

AWS CloudTrail records all AWS API calls to your account in a log file. The recorded information includes the IP address of the API caller, the time of the API call, the identity of the API caller, the request parameters, and the response elements returned.



AWS CloudTrail records all AWS API calls to your account in a log file. The recorded information includes the IP address of the API caller, the time of the API call, the identity (username) of the API caller, the request parameters, and the response elements returned. Enabling CloudTrail on your AWS account provides a history of all API calls for your account, including calls from the AWS Management Console, command line tools, AWS SDK, and other AWS Services like CloudFormation. This audit log allows for in depth security analysis and insight into resource changes.

Cloud Conformity checks AWS CloudTrail service according to the following rules:

Enable access logging for AWS CloudTrail buckets
Ensure AWS CloudTrail buckets have server access logging enabled.

Enable MFA Delete for AWS CloudTrail bucket
Ensure AWS CloudTrail logging bucket has MFA Delete feature enabled.

AWS CloudTrail insecure buckets
Ensure CloudTrail trail logging buckets are not publicly accessible.

Monitor AWS CloudTrail Configuration Changes
CloudTrail configuration changes have been detected within your Amazon Web Services account.

Enable AWS CloudTrail multi-region API logging
Ensure AWS CloudTrail trails are enabled for all AWS regions.

Enable AWS CloudTrail logging for global services
Ensure AWS CloudTrail trails track API calls for global services such as IAM, STS and CloudFront.

Enable AWS CloudTrail integration with CloudWatch
Ensure CloudTrail event monitoring with CloudWatch is enabled.

Enable AWS CloudTrail log file integrity validation
Ensure your AWS CloudTrail trails have log file integrity validation enabled.

Enable AWS CloudTrail log files encryption
Ensure your AWS CloudTrail logs are encrypted using AWS KMS–Managed Keys (SSE-KMS).

Enable Data Events Logging for CloudTrail Trails
Ensure Data events are included into Amazon CloudTrail trails configuration.

AWS CloudTrail Log Files Delivery Failing
Ensure Amazon CloudTrail trail log files are delivered as expected.

Avoid duplicate entries in AWS CloudTrail logs
Ensure AWS CloudTrail trails are not duplicating global services events in their log files."

Enable Management Events for CloudTrail trails
Ensure management events are included into AWS CloudTrail trails configuration.

AWS CloudTrail Referencing Missing SNS Topic
Ensure Amazon CloudTrail trails are utilizing active AWS SNS topics.