Open menu
-->

Enable AWS CloudTrail logging for global services

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Security

Risk level: High (act today)

Ensure that your CloudTrail trails are recording both regional and global events in order to increase the visibility of the API activity in your AWS account for security and management purposes.

This rule resolution is part of the Cloud Conformity Security Package

Turning on API activity monitoring for global services that are not region-specific such as IAM, STS and CloudFront enables you to have full visibility over all your AWS services. Having CloudTrail logging enabled for both AWS regional and global services would help you to demonstrate compliance and troubleshoot operational or security issues within your AWS account. Note: if you enable Include Global Services in multiple single region trails, these will generate duplicate entries for a single event in the log files. To prevent this duplication, the feature must be enabled just for one single region trail and disabled for all other trails.

Audit

To determine if your trails record API calls for AWS global services, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to CloudTrail dashboard at https://console.aws.amazon.com/cloudtrail/.

03 In the left navigation panel, select Trails.

04 Under Name column, select the trail name that you need to examine.

05Under Additional Configuration section, check for the Include global services status:

Under Additional Configuration section, check for the Include global services status

If the feature status is set to No, the selected trail is not currently recording API calls for global services such as IAM, STS or AWS CloudFront.

Using AWS CLI

01 Run describe-trails command (OSX/Linux/UNIX) to list all trails available in the selected AWS region:

aws cloudtrail describe-trails

02 The command output should expose each CloudTrail trail configuration details. If IncludeGlobalServiceEvents config parameter value is set to false, the selected trail is not tracking API calls for any global services within your AWS account:

{
    "trailList": [
        {
            "IncludeGlobalServiceEvents": false,
            "Name": "MyGlobalTrail",
            "TrailARN": "arn:aws:cloudtrail:us-east-1:
                         123456789012:trail/MyGlobalTrail",
            "LogFileValidationEnabled": false,
            "IsMultiRegionTrail": false,
            "S3BucketName": "cloudtrail-global-logging",
            "HomeRegion": "us-east-1"
        }
    ]
}

Remediation / Resolution

To enable API tracking and logging for AWS global services in your CloudTrail trails, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to CloudTrail dashboard at https://console.aws.amazon.com/cloudtrail/.

03 In the left navigation panel, select Trails.

04 Under Name column, select the trail name that you need to update.

05 Click the pencil icon:

pencil icon next to Additional Configuration

next to Additional Configuration section to edit the trail configuration.

06 Select Yes next to Include global services to enable the feature and click Save:

Select Yes next to Include global services to enable the feature and click Save

Using AWS CLI

01Run describe-trails command (OSX/Linux/UNIX) to list all CloudTrail trails available in the selected AWS region and their configuration details (name, ARN, status, etc):

aws cloudtrail describe-trails

02Run update-trail command (OSX/Linux/UNIX) using the selected trail name to update its configuration and enable API logging for AWS global services such as IAM, AWS STS and CloudFront:

aws cloudtrail update-trail
	--name MyGlobalTrail
	--include-global-service-events

03The command output should return the new configuration details for the selected trail. Once the feature is enabled, the IncludeGlobalServiceEvents config parameter value is set to true:

aws cloudtrail update-trail
	--name MyGlobalTrail{
	    "trailList": [
	        {
	            "IncludeGlobalServiceEvents": true,
	            "Name": "MyCloudTrail",
	            "TrailARN": "arn:aws:cloudtrail:us-east-1:
	                         123456789012:trail/MyCloudTrail",
	            "LogFileValidationEnabled": false,
	            "IsMultiRegionTrail": true,
	            "S3BucketName": "cloudtrail-global-logging",
	            "HomeRegion": "us-east-1"
	        }
	    ]
	}

References

Publication date Apr 12, 2016