AWS CloudTrail Configuration Changes

"CreateTrail" – Creates a Cloudtrail trail that specifies the settings for delivery of log data to an Amazon S3 bucket.

"UpdateTrail" – Updates the settings that specify delivery of Cloudtrail log files. Changes to a trail do not require stopping the CloudTrail service. The action triggered by this event is used to designate an existing bucket for log delivery. If the existing S3 bucket has previously been a target for aws CloudTrail log files, an IAM policy already exists for the bucket.

"DeleteTrail" – Deletes a Cloudtrail trail. This event is triggered within the AWS region in which the trail was created. DeleteTrail event action is not called on the shadow trails (replicated trails in other regions) of a trail that is enabled in all regions.

"PutEventSelectors" – Configures an event selector for a Cloudtrail trail. Event selectors are used to further specify the management and data event settings for a trail. By default, trails created without specific event selectors will be configured to log all read and write management events and no data events.

"AddTags" – Adds one or more tags to a Cloudtrail trail, up to a limit of 50. Tags must be unique per trail.

"RemoveTags" – Removes the specified tags from an AWS Cloudtrail trail.

"StartLogging" – Starts the recording of AWS API calls and log file delivery for a trail. StartLogging event action is not called on the shadow trails (replicated trails in other AWS regions) of a trail that is enabled in all regions.

"StopLogging" – Suspends the recording of AWS API calls and log file delivery for the specified trail.

To adhere to AWS security best practices and implement the principle of least privilege (i.e. the practice of providing every user/process/system the minimal amount of access required to perform its tasks), Cloud Conformity strongly recommends that you avoid as much as possible to provide your IAM users (except the system administrator) the permission to change the CloudTrail service configuration within your AWS account.The communication channels for sending RTMA notifications can be easily configured within Cloud Conformity account. The list of supported communication channels that you can use to receive AWS CloudTrail configuration change alerts are Slack, SMS, Email, PagerDuty, ServiceNow and Zendesk.

The visibility into your Amazon Web Services account activity is a key aspect of security and operational best practices. You use AWS CloudTrail to view, search, download, archive, analyze and respond to account activity across your AWS infrastructure. Therefore, monitoring any configuration change made at the CloudTrail service level is important for keeping your AWS infrastructure secure and compliant.