AWS CloudTrail Best Practices

Best practice rules for AWS CloudTrail

Trend Micro Cloud One™ – Conformity monitors AWS CloudTrail with the following rules:

• AWS CloudTrail Configuration Changes

  CloudTrail configuration changes have been detected within your Amazon Web Services account.

• Avoid Duplicate Entries in Amazon CloudTrail Logs

  Ensure that AWS CloudTrail trails are not duplicating global service events in their aggregated log files."

• CloudTrail Bucket MFA Delete Enabled

  Ensure AWS CloudTrail logging bucket has MFA Delete feature enabled.

• CloudTrail Bucket Publicly Accessible

  Ensure CloudTrail trail logging buckets are not publicly accessible.

• CloudTrail Data Events

  Ensure Data events are included into Amazon CloudTrail trails configuration.

• CloudTrail Delivery Failing

  Ensure Amazon CloudTrail trail log files are delivered as expected.

• CloudTrail Enabled

  Ensure AWS CloudTrail trails are enabled for all AWS regions.

• CloudTrail Global Services Enabled

  Ensure AWS CloudTrail trails track API calls for global services such as IAM, STS and CloudFront.

• CloudTrail Integrated With CloudWatch

  Ensure CloudTrail event monitoring with CloudWatch is enabled.

• CloudTrail Log File Integrity Validation

  Ensure your AWS CloudTrail trails have log file integrity validation enabled.

• CloudTrail Logs Encrypted

  Ensure your AWS CloudTrail logs are encrypted using AWS KMS–Managed Keys (SSE-KMS).

• CloudTrail Management Events

  Ensure management events are included into AWS CloudTrail trails configuration.

• CloudTrail S3 Bucket

  Ensure that AWS CloudTrail trail uses the designated Amazon S3 bucket.

• CloudTrail S3 Bucket Logging Enabled

  Ensure AWS CloudTrail buckets have server access logging enabled.

• Enable Object Lock for CloudTrail S3 Buckets

  Ensure that AWS CloudTrail S3 buckets use Object Lock for data protection and regulatory compliance.