Logo of Trend Micro

Avoid Duplicate Entries in Amazon CloudTrail Logs

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: Medium (should be achieved)
Rule ID: CT-006

Ensure that only one trail within your Amazon CloudTrail multi-region logging configuration has the capability to record global service events in order to avoid duplicate log events for AWS global services such as Amazon Identity and Access Management (IAM), Security Token Service (STS) or AWS CloudFront.

This rule can help you with the following compliance standards:

This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS

Security

When you have multiple single region trails created in your AWS account, the events recorded for certain global services are duplicated in the log files as each region trail writes the same events to the CloudTrail aggregated log. In order to prevent log data duplication, the global service events tracking must be enabled for one trail only and disabled for all other trails, from other regions, that write to the same CloudTrail log.

Note: This conformity rule assumes that you have multiple single region trails (i.e. multi-region configuration) already available within your AWS account.

Audit

To determine if more than one single region trails record global service events, perform the following actions:

Note: Checking Amazon CloudTrail global service events logging configuration using AWS Management Console is not currently supported. The trails created using the AWS Management Console are recording global service events by default.

Using AWS CLI

01 Run describe-trails command (OSX/Linux/UNIX) to list all Amazon CloudTrail trails available in the selected AWS region: 

aws cloudtrail describe-trails
	--region us-east-1

02 The command output should describe the configuration information for each trail available in the selected region. If the value of the "IncludeGlobalServiceEvents" configuration attribute is set to true, as shown in the example below, the selected Amazon CloudTrail trail is recording global service events within the selected AWS region: 

{
    "trailList": [
        {
            "IncludeGlobalServiceEvents": true,
            "Name": "cc-main-trail",
            "TrailARN": "arn:aws:cloudtrail:us-east-1:123456789012:trail/cc-main-trail",
            "LogFileValidationEnabled": false,

		...

            "HasCustomEventSelectors": false,
            "S3BucketName": "cc-trail-s3bucket",
            "HasInsightSelectors": false,
            "HomeRegion": "us-east-1"
        }
    ]
}

03 Change the AWS region by updating the --region command parameter value and repeat step no. 1 and 2 to perform the audit process for other regions with active trails enabled. If more than one single region trail is tracking global service events within your AWS account, the events recorded for the global services such as Amazon IAM, STS or CloudFront are duplicated within the CloudTrail aggregated log.

Remediation / Resolution

To disable API tracking/logging for AWS global services in the subsequent single region trails, perform the following actions:

Note: Enabling AWS CloudTrail logging global service events using AWS Management Console is not currently supported. The trails created using the AWS Management Console are recording global service events by default.

Using AWS CLI

01 Run update-trail command (OSX/Linux/UNIX) using the name of the Amazon CloudTrail trail that you want to reconfigure and the name of the associated region as identifier parameters, to update the selected trail configuration and disable tracking global service events in order to avoid duplication: 

aws cloudtrail update-trail
	--region us-east-1
	--name cc-main-trail
	--no-include-global-service-events
  --no-is-multi-region-trail

02 The command output should return the update-trail command request metadata: 

{
    "Name": "cc-main-trail",
    "S3BucketName": "cc-trail-s3bucket"
    "IncludeGlobalServiceEvents": false,
    "IsMultiRegionTrail": false,
    "TrailARN": "arn:aws:cloudtrail:us-east-1:123456789012:trail/cc-main-trail",
    "LogFileValidationEnabled": false,

    ...

}

03 Change the AWS region by updating the --region command parameter value and repeat step no. 1 and 2 for other regions with active trails enabled. Ensure that only a single region trail records global service events in order to avoid any duplicate entries within your Amazon CloudTrail aggregated log.

References

Publication date Apr 13, 2016

Related CloudTrail rules

Unlock the Remediation Steps

Gain free unlimited access
to our full Knowledge Base

Over 750 rules & best practices
for AWS and Azure

You are auditing:

Avoid Duplicate Entries in Amazon CloudTrail Logs

Risk level: Medium