Logo of Trend Micro

CloudTrail Global Services Enabled

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: High (not acceptable risk)
Rule ID: CT-005

Ensure that your CloudTrail trails are recording both regional and global events in order to increase the visibility of the API activity in your AWS account for security and management purposes.

This rule can help you with the following compliance standards:

This rule can help you work with the AWS Well-Architected Framework

This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS

Security

Turning on API activity monitoring for global services that are not region-specific such as IAM, STS and CloudFront enables you to have full visibility over all your AWS services. Having CloudTrail logging enabled for both AWS regional and global services would help you to demonstrate compliance and troubleshoot operational or security issues within your AWS account.

Note: if you enable Include Global Services in multiple single region trails, these will generate duplicate entries for a single event in the log files. To prevent this duplication, the feature must be enabled just for one single region trail and disabled for all other trails.

Audit

To determine if your trails record API calls for AWS global services, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to CloudTrail dashboard at https://console.aws.amazon.com/cloudtrail/.

03 In the left navigation panel, select Trails.

04 Under Name column, select the trail name that you need to examine.

05Under Additional Configuration section, check for the Include global services status:

Under Additional Configuration section, check for the Include global services status

If the feature status is set to No, the selected trail is not currently recording API calls for global services such as IAM, STS or AWS CloudFront.

Using AWS CLI

01 Run describe-trails command (OSX/Linux/UNIX) to list all trails available in the selected AWS region: 

aws cloudtrail describe-trails

02 The command output should expose each CloudTrail trail configuration details. If IncludeGlobalServiceEvents config parameter value is set to false, the selected trail is not tracking API calls for any global services within your AWS account: 

{
    "trailList": [
        {
            "IncludeGlobalServiceEvents": false,
            "Name": "MyGlobalTrail",
            "TrailARN": "arn:aws:cloudtrail:us-east-1:
                         123456789012:trail/MyGlobalTrail",
            "LogFileValidationEnabled": false,
            "IsMultiRegionTrail": false,
            "S3BucketName": "cloudtrail-global-logging",
            "HomeRegion": "us-east-1"
        }
    ]
}

Remediation / Resolution

To enable API tracking and logging for AWS global services in your CloudTrail trails, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to CloudTrail dashboard at https://console.aws.amazon.com/cloudtrail/.

03 In the left navigation panel, select Trails.

04 Under Name column, select the trail name that you need to update.

05 Click the pencil icon:

pencil icon next to Additional Configuration

next to Additional Configuration section to edit the trail configuration.

06 Select Yes next to Include global services to enable the feature and click Save:

Select Yes next to Include global services to enable the feature and click Save

Using AWS CLI

01Run describe-trails command (OSX/Linux/UNIX) to list all CloudTrail trails available in the selected AWS region and their configuration details (name, ARN, status, etc): 

aws cloudtrail describe-trails

02Run update-trail command (OSX/Linux/UNIX) using the selected trail name to update its configuration and enable API logging for AWS global services such as IAM, AWS STS and CloudFront: 

aws cloudtrail update-trail
	--name MyGlobalTrail
	--include-global-service-events

03The command output should return the new configuration details for the selected trail. Once the feature is enabled, the IncludeGlobalServiceEvents config parameter value is set to true: 

aws cloudtrail update-trail
	--name MyGlobalTrail{
	    "trailList": [
	        {
	            "IncludeGlobalServiceEvents": true,
	            "Name": "MyCloudTrail",
	            "TrailARN": "arn:aws:cloudtrail:us-east-1:
	                         123456789012:trail/MyCloudTrail",
	            "LogFileValidationEnabled": false,
	            "IsMultiRegionTrail": true,
	            "S3BucketName": "cloudtrail-global-logging",
	            "HomeRegion": "us-east-1"
	        }
	    ]
	}

References

Publication date Apr 12, 2016

Related CloudTrail rules

Unlock the Remediation Steps

Gain free unlimited access
to our full Knowledge Base

Over 750 rules & best practices
for AWS and Azure

You are auditing:

CloudTrail Global Services Enabled

Risk level: High