Logo of Trend Micro

CloudTrail Data Events

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: Low (generally tolerable level of risk)
Rule ID: CT-012

Ensure that all your AWS CloudTrail trails are configured to log Data events in order to record S3 object-level API operations, such as GetObject, DeleteObject and PutObject, for individual S3 buckets or for all current and future S3 buckets provisioned in your AWS account.

This rule can help you with the following compliance standards:

This rule can help you work with the AWS Well-Architected Framework

This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS

Security

Enabling CloudTrail Data events logging will help you meet data compliance requirements within your organization, perform comprehensive security analysis, monitor specific patterns of user behavior in your AWS account or take immediate actions on any object-level API activity using Amazon CloudWatch Events.

Audit

To identify any trails that are missing the capability to log Data events, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to CloudTrail dashboard at https://console.aws.amazon.com/cloudtrail/.

03 In the left navigation panel, select Trails.

04 Choose the trail that you want to examine then click on its identifier (link) to access the configuration page.

05 Within Data events section, check for any listed S3 buckets. If there are no AWS S3 buckets listed within this section, instead only a Configure button is displayed, i.e.

Cloudtrail Data Events

the Data events are not included into the selected Amazon Cloudtrail trail logging configuration, therefore S3 object-level API operations such as GetObject, DeleteObject and PutObject are not recorded.

06 Repeat step no. 4 and 5 to identify other trails that are missing the capability to log Data events, available in the selected region.

07 Change the AWS region from the navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run describe-trails command (OSX/Linux/UNIX) to list the names of all Amazon CloudTrail trails currently available in the selected AWS region: 

aws cloudtrail describe-trails
	--region us-east-1
	--output table
	--query 'trailList[*].Name'

02 The command output should return a table with the requested trail names: 

--------------------------
|     DescribeTrails     |
+------------------------+
| cc-global-env-trail    |
| cc-internal-env-trail  |
+------------------------+

03 Run get-event-selectors command (OSX/Linux/UNIX) using the name of the trail returned at the previous step and custom query filters to determine if Data events logging feature is enabled within the selected CloudTrail trail configuration: 

aws cloudtrail get-event-selectors
	--region us-east-1
	--trail-name cc-global-env-trail
	--query 'EventSelectors[*].DataResources[]'

03 Run get-event-selectors command (OSX/Linux/UNIX) using the name of the trail returned at the previous step and custom query filters to determine if Data events logging feature is enabled within the selected CloudTrail trail configuration: 

aws cloudtrail get-event-selectors
	--region us-east-1
	--trail-name cc-global-env-trail
	--query 'EventSelectors[*].DataResources[]'

04 The command output should return an array that contains the metadata of the AWS S3 buckets defined for the Data events selector: 

[]

If the get-event-selectors command returns an empty array, i.e. [], the Data events are not included into the selected AWS Cloudtrail trail logging configuration, therefore the S3 object-level API operations performed within your AWS account are not recorded.

05 Repeat step no. 3 and 4 to identify other trails that are missing the capability to log Data events, available in the selected region.

06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 - 5 to perform the audit process for other regions.

Remediation / Resolution

To enable Data events for all CloudTrail trails available within your AWS account, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to CloudTrail dashboard at https://console.aws.amazon.com/cloudtrail/.

03 In the navigation panel, select Trails.

04 Choose the trail that you want to examine then click on its identifier (link) to access the configuration page.

05 Click the Edit icon:

Edit

available next to the Data events section, to include Data events into the selected trail logging configuration.

06 Inside Data events configuration section, perform one of the following actions:

  1. To enable Data events logging for all the S3 buckets in your AWS account, check Select all S3 buckets in your account checkbox, then choose whether you want to log Read events (e.g. GetObject) or Write events (e.g. PutObject) or to log both types of events, by selecting Read and/or Write checkboxes. This setting takes precedence over any setting that you have configured for individual S3 buckets.
  2. To enable Data events logging for individual AWS S3 buckets, click Add S3 bucket, type the bucket name and prefix (optional) and specify whether you want to log Read, Write, or both types of events, by selecting Read and/or Write checkboxes. For each CloudTrail trail, you can add up to 250 buckets and prefix combinations. This restriction does not apply if you configure Data event logging for all Amazon S3 buckets (step 6.a).

07 Click Save to apply the changes and save the trail configuration. The selected AWS Cloudtrail trail will begin to record Data events.

08 Repeat steps no. 4 – 7 to enable Data events for other trails available in the current region.

09 Change the AWS region from the navigation bar and repeat the process for other regions.

Using AWS CLI

01 To enable Data events logging for all the S3 buckets within your AWS account, run put-event-selectors command (OSX/Linux/UNIX) using the name of the trail that you want to reconfigure as identifier (see Audit section part II to identify the right resource): 

aws cloudtrail put-event-selectors
	--region us-east-1
	--trail-name cc-global-env-trail
	--event-selectors '[{ "ReadWriteType": "All", "IncludeManagementEvents":true, "DataResources": [{ "Type": "AWS::S3::Object", "Values": ["arn:aws:s3"] }] }]'

02 The command output should return the put-event-selectors command request metadata: 

{
    "EventSelectors": [
        {
            "IncludeManagementEvents": true,
            "DataResources": [
                {
                    "Values": [
                        "arn:aws:s3"
                    ],
                    "Type": "AWS::S3::Object"
                }
            ],
            "ReadWriteType": "All"
        }
    ],
    "TrailARN": "arn:aws:cloudtrail:us-east-1:123456789012:trail/cc-global-env-trail"
}

03 To enable Data events logging for individual Amazon S3 buckets, run put-event-selectors command (OSX/Linux/UNIX) using the name of the trail that you want to reconfigure as identifier (see Audit section part II to identify the right resource). The following command example enables Data events logging for all the objects available in an S3 bucket named "cc-s3-data-bucket": 

aws cloudtrail put-event-selectors
	--region us-east-1
	--trail-name cc-global-env-trail
	--event-selectors '[{ "ReadWriteType": "All", "IncludeManagementEvents":true, "DataResources": [{ "Type": "AWS::S3::Object", "Values": ["arn:aws:s3:::cc-s3-data-bucket/"] }] }]'

04 The command output should return the command request metadata: 

{
    "EventSelectors": [
        {
            "IncludeManagementEvents": true,
            "DataResources": [
                {
                    "Values": [
                        "arn:aws:s3:::cc-s3-data-bucket/"
                    ],
                    "Type": "AWS::S3::Object"
                }
            ],
            "ReadWriteType": "All"
        }
    ],
    "TrailARN": "arn:aws:cloudtrail:us-east-1:123456789012:trail/cc-global-env-trail"
}

05 Repeat steps no. 1 – 4 to enable Data events for other CloudTrail trails available in the current region.

06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 - 5 to perform the entire process for other regions.

References

Publication date Nov 15, 2017

Related CloudTrail rules

Unlock the Remediation Steps

Gain free unlimited access
to our full Knowledge Base

Over 750 rules & best practices
for AWS and Azure

You are auditing:

CloudTrail Data Events

Risk level: Low