Open menu
-->

Avoid duplicate entries in AWS CloudTrail logs

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Security

Risk level: Medium (should be achieved)

Ensure that only one trail within a CloudTrail multi-region logging configuration has Include Global Services feature enabled in order to avoid duplicate log events being recorded for the AWS global services such as IAM, STS or Cloudfront.

This rule resolution is part of the Cloud Conformity Security Package

When you have multiple single region trails created in your AWS account, the events recorded for certain global services such as Identity and Access Management (IAM) are duplicated in the logs as each region trail writes the same IAM events to the CloudTrail aggregated log. In order to prevent this duplication, the Include Global Services feature must be enabled for one trail only and disabled for all other trails from other regions that write to the same CloudTrail log. Note: this guide assumes that you have multiple single region trails (multi-region configuration) already available in your AWS account.

Audit

To determine if more than one single region trail has Include Global Services feature enabled, perform the following:

Using AWS Console

01Sign in to the AWS Management Console.

02Navigate to CloudTrail dashboard at https://console.aws.amazon.com/cloudtrail/.

03In the left navigation panel, select Trails.

04Under Name column:

Under Name Column, select the trail name that you need to examine

select the trail name that you need to examine.

05 Under Additional Configuration section, check for the Include global services status:

Under Additional Configuration section, check for the Include global services status

If the feature status is set to Yes, the selected trail is currently recording API calls for global services such as IAM, STS or AWS CloudFront.

06In the left navigation panel select Trails and repeat step no. 4 and 5 for each single region trail available in your AWS account.

Using AWS CLI

01Run describe-trails command (OSX/Linux/UNIX) to list all CloudTrail trails available in the selected AWS region:

aws cloudtrail describe-trails
	--region us-east-1

02The command output should expose the configuration details for each trail. If IncludeGlobalServiceEvents config parameter value is set to true, the selected trail is recording API calls for any global services enabled in your AWS account:

{
    "trailList": [
        {
            "IncludeGlobalServiceEvents": true,
            "Name": "US-East1-LogTrail",
            "TrailARN": "arn:aws:cloudtrail:us-east-1:123456789012:
                         trail/US-East1-LogTrail",
            "LogFileValidationEnabled": false,
            "IsMultiRegionTrail": false,
            "S3BucketName": "cloudtrail-global-logging",
            "HomeRegion": "us-east-1"
        }
    ]
}

03Repeat step no. 1 using a subsequent region name as

--region
parameter value in order to display the configuration details for each single region trail available in your AWS account. The following table specify all the regions currently provided by AWS:

--region parameter valueregion name
us-east-1US East (N. Virginia)
us-west-2US West (Oregon)
us-west-1US West (N. California)
eu-west-1EU (Ireland)
eu-central-1EU (Frankfurt)
ap-southeast-1Asia Pacific (Singapore)
ap-northeast-1Asia Pacific (Tokyo)
ap-southeast-2Asia Pacific (Sydney)
ap-northeast-2Asia Pacific (Seoul)
sa-east-1South America (São Paulo)

Remediation / Resolution

To disable API tracking for AWS global services in the subsequent single region trails, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to CloudTrail dashboard at https://console.aws.amazon.com/cloudtrail/.

03In the left navigation panel, select Trails.

04 Under Name column:

Under Name Column, select the trail name that you need to examine

select the trail name that you need to examine.

05 Click the pencil icon:

Click the pencil icon

next to Additional Configuration section to edit the trail configuration.

06 Select No next to Include global services to disable the feature and click Save:

click Save

07 In the left navigation panel select Trails and repeat step no. 4, 5 and 6 for each single region trail available in your AWS account. Ensure that only a single region trail has Include global services enabled and disable the feature for all other trails available in other AWS regions in order to avoid any duplicate entries in your CloudTrail log.

Using AWS CLI

01 Run describe-trails command (OSX/Linux/UNIX) to list the trail available in the selected AWS region and its configuration details (name, ARN, bucket name, etc):

aws cloudtrail describe-trails
	--region us-east-1

02 Run update-trail command (OSX/Linux/UNIX) using the selected trail name and region to update the trail configuration and disable API tracking for AWS global services such as IAM, STS or Cloudfront:

aws cloudtrail update-trail
	--region us-east-1
	--name US-East1-LogTrail
	--no-include-global-service-events

03Repeat step no. 1 and 2 for each single region trail available in your AWS account. Ensure that only a single region trail has IncludeGlobalServiceEvents parameter set to true (enabled) and all other region trails have IncludeGlobalServiceEvents set to false (disabled) in order to avoid any duplicate entries in your CloudTrail aggregated log.

References

Publication date Apr 13, 2016