Logo of Trend Micro

CloudTrail S3 Bucket

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: Medium (should be achieved)
Rule ID: CT-014

Ensure that your Amazon CloudTrail trail is configured to use the appropriated S3 bucket in order to meet regulatory compliance requirements within your organization. Prior to running this rule by the Cloud Conformity engine, the S3 bucket into which AWS CloudTrail delivers the trail files must be configured in the rule settings, on your Cloud Conformity account dashboard.

This rule can help you with the following compliance standards:

This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS

Security

The delivery of CloudTrail data must be tightly controlled using the Amazon S3 bucket defined specifically as target bucket for trail data recorded in your AWS account.

Audit

To determine if your AWS CloudTrail trail uses the right S3 bucket as target bucket, perform the following actions:

Using AWS Console

01 Sign in to your Cloud Conformity console, access CloudTrail S3 Bucket conformity rule settings and identify the name defined for the Amazon S3 bucket designated to receive and store CloudTrail data (also known as target bucket).

02 Sign in to the AWS Management Console.

03 Navigate to CloudTrail dashboard at https://console.aws.amazon.com/cloudtrail/.

04 In the left navigation panel, select Trails.

05 Choose the trail that you want to examine, then click on its identifier available in the Name column, to access the resource configuration page.

06 In the Storage location section, check the S3 bucket attribute value to identify the name of the S3 bucket used as target bucket. If the S3 bucket value does not match the name of the bucket identified at step no. 1, the selected Amazon CloudTrail trail does not use the appropriated S3 bucket, hence the trail configuration is not compliant.

07 If required, repeat step no. 5 and 6 to check the target S3 bucket for other CloudTrail trails, available in the selected region.

08 Change the AWS region from the navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Sign in to your Cloud Conformity console, access CloudTrail S3 Bucket conformity rule settings and identify the name defined for the Amazon S3 bucket designated to receive and store CloudTrail data.

02 Run describe-trails command (OSX/Linux/UNIX) to list the names of all Amazon CloudTrail trails available within the selected AWS region: 

aws cloudtrail describe-trails
	--region us-east-1
	--output table
	--query 'trailList[*].Name'

03 The command output should return a table with the requested trail names: 

-------------------------
|    DescribeTrails     |
+-----------------------+
|  cc-production-trail  |
|  codepipeline-trail   |
+-----------------------+

04 Execute again describe-trails command (OSX/Linux/UNIX) using the name of the trail that you want to examine as identifier and custom query filters to return the name of the S3 bucket used as target bucket by the selected trail: 

aws cloudtrail describe-trails
	--region us-east-1
	--trail-name-list cc-production-trail
	--query 'trailList[*].S3BucketName'

05 The command output should return the name of the requested S3 bucket: 

[
    "cc-trail-data"
]

Verify the name of the S3 bucket returned by the describe-trails command output. If the name of the target bucket does not match the name of the S3 bucket identified at step no. 1, the selected Amazon CloudTrail trail does not use the designated S3 bucket, therefore the current trail configuration is not compliant.

06 If required, repeat step no. 4 and 5 to check the target S3 bucket for other CloudTrail trails, available in the selected region.

07 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 - 6 to perform the entire audit process for other regions.

Remediation / Resolution

To reconfigure your Amazon CloudTrail trail in order to use the designated S3 bucket, specified in the conformity rule settings, perform the following actions:

Using AWS Console

01 Sign in to your Cloud Conformity console, access CloudTrail S3 Bucket rule settings and copy the name of the Amazon S3 bucket configured to receive and store CloudTrail data.

02 Sign in to the AWS Management Console.

03 Navigate to CloudTrail dashboard at https://console.aws.amazon.com/cloudtrail/.

04 In the navigation panel, select Trails.

05 Choose the CloudTrail trail that you want to reconfigure (see Audit section part I to identify the right resource) then click on its identifier to access the trail configuration page.

06 On the selected trail configuration page, click the Edit icon available next to the Storage location section to reconfigure the target bucket associated with the trail.

07 Select Yes next to Create a new S3 bucket, and within S3 bucket box type the name of the designated bucket, defined in the conformity rule settings and copied at step no. 1. (Optional) You can also specify a prefix for the log files in the Log file prefix box.

08 Click Save to apply the changes. Once the target bucket is created, Amazon CloudTrail service will begin to deliver trail data to the designated bucket and the Last log file delivered attribute value set for the selected trail will be updated.

09 If required, repeat steps no. 5 – 8 to reconfigure other AWS CloudTrail trails with non-compliant configuration, available in the current region.

10 Change the AWS region from the navigation bar and repeat the process for other regions.

Using AWS CLI

01 Sign in to your Cloud Conformity console, access CloudTrail S3 Bucket rule settings and copy the name of the Amazon S3 bucket configured to receive and store CloudTrail data.

02 Run update-subscription command (OSX/Linux/UNIX) to update the storage configuration for the specified trail (see Audit section part II to identify the right resource). Use --s3-use-bucket in case the designated S3 bucket is already available in your AWS account and --s3-new-bucket parameter to create the new S3 bucket, using the resource name copied at step no. 1: 

aws cloudtrail update-subscription
	--region us-east-1
	--name cc-production-trail
	--s3-new-bucket cc-trail-global-data

03 The command output should return the new configuration metadata for the updated trail: 

Setting up new S3 bucket cc-trail-global-data...
Creating/updating CloudTrail configuration...
CloudTrail configuration:
{
  "trailList": [
    {
      "IncludeGlobalServiceEvents": true,
      "IsOrganizationTrail": false,
      "Name": "cc-production-trail",
      "TrailARN": "arn:aws:cloudtrail:us-east-1:123456789012:trail/cc-production-trail",
      "LogFileValidationEnabled": true,
      "IsMultiRegionTrail": true,
      "HasCustomEventSelectors": true,
      "S3BucketName": "cc-trail-global-data",
      "HomeRegion": "us-east-1"
    }
  ],
  "ResponseMetadata": {
    "RetryAttempts": 0,
    "HTTPStatusCode": 200,
    "RequestId": "01234567-abcd-1234-abcd-012345678901",
    "HTTPHeaders": {
      "x-amzn-requestid": "01234567-abcd-1234-abcd-012345678901",
      "date": "Mon, 22 Feb 2019 20:36:04 GMT",
      "content-length": "787",
      "content-type": "application/x-amz-json-1.1"
    }
  }
}

04 If required, repeat step no. 2 and 3 to reconfigure other AWS CloudTrail trails with non-compliant configurations, available in the selected region.

05 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 4 to perform the entire remediation process for other regions.

References

Publication date Mar 4, 2019

Related CloudTrail rules

Unlock the Remediation Steps

Gain free unlimited access
to our full Knowledge Base

Over 750 rules & best practices
for AWS and Azure

You are auditing:

CloudTrail S3 Bucket

Risk level: Medium