Logo of Trend Micro

CloudTrail Management Events

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: Medium (should be achieved)
Rule ID: CT-010

Ensure that all your AWS CloudTrail trails are configured to log Management events in order to record important operations such as EC2 RunInstances, DescribeInstances, TerminateInstances and Console Login (basically all events that are not data events).

This rule can help you with the following compliance standards:

This rule can help you work with the AWS Well-Architected Framework

This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS

Security

Management events are operations that occur when working with AWS resources and recording them is a good security practice. For example, if an IAM user within your organization terminates an EC2 instance that has a crucial role within your application stack, the instance is lost completely and the TerminateInstances event is not recorded so there is no way for the account Administrator to determine who terminated the instance by analyzing the Cloudtrail logs.

Audit

To identify any trails that are missing the capability to log Management events, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to CloudTrail dashboard at https://console.aws.amazon.com/cloudtrail/.

03 In the left navigation panel, select Trails.

04 Choose the trail that you want to examine then click on its identifier (link) to access the configuration page.

05 Within Management events section, verify the Read/Write events attribute value. If the attribute current value is set to None, the Management events are not included into the selected Amazon Cloudtrail trail logging configuration, therefore important events triggered within your AWS account are not recorded.

06 Repeat step no. 4 and 5 to identify other trails that are missing the capability to log Management events, available in the selected region.

07 Change the AWS region from the navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run describe-trails command (OSX/Linux/UNIX) to list the names of all Amazon CloudTrail trails currently available in the selected AWS region: 

aws cloudtrail describe-trails
	--region us-east-1
	--output table
	--query 'trailList[*].Name'

02 The command output should return a table with the requested trail names: 

--------------------------
|     DescribeTrails     |
+------------------------+
| cc-global-cloud-trail  |
| cc-internal-trail      |
+------------------------+

03 Run get-event-selectors command (OSX/Linux/UNIX) using the name of the trail returned at the previous step and custom query filters to determine if Management events are included into the selected CloudTrail trail configuration: 

aws cloudtrail get-event-selectors
	--region us-east-1
	--trail-name cc-global-cloud-trail
	--query 'EventSelectors[*].IncludeManagementEvents

04 The command output should return the Management events configuration flag value (true for enabled, false for disabled): 

[
    false
]

If the Boolean value returned by the get-event-selectors command is false, the Management events are not included into the selected Amazon Cloudtrail trail configuration, therefore important events such as RunInstances, DescribeInstances and TerminateInstances are not recorded.

05 Repeat step no. 3 and 4 to identify other trails that are missing the capability to log Management events, available in the selected region.

06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 - 5 to perform the audit process for other regions.

Remediation / Resolution

To enable Management events for all CloudTrail trails available within your AWS account, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to CloudTrail dashboard at https://console.aws.amazon.com/cloudtrail/.

03 In the navigation panel, select Trails.

04 Choose the CloudTrail trail that you want to reconfigure (see Audit section part I to identify the right resource) then click on its identifier to access the configuration page.

05 Click the Edit icon:

Edit

available next to the Management events section, to include Management events into the selected trail logging configuration.

06 For Read/Write events setting, choose Read-only option for read API operations such as EC2 DescribeInstances, Write-only option for create, update and delete API operations or All option (recommended) for both read and write API operations.

07 Click Save to apply the changes and save the trail configuration. The selected AWS Cloudtrail trail will begin to record Management events.

08 Repeat steps no. 4 – 7 to enable Management events for other trails available in the current region.

09 Change the AWS region from the navigation bar and repeat the process for other regions.

Using AWS CLI

01 Run put-event-selectors command (OSX/Linux/UNIX) using the name of the trail that you want to reconfigure (see Audit section part II to identify the right resource) to enable Management events that record both read and write API operations (i.e. All option) for the selected AWS CloudTrail trail: 

aws cloudtrail put-event-selectors
	--region us-east-1
	--trail-name cc-global-cloud-trail
	--event-selectors '[{ "ReadWriteType": "All", "IncludeManagementEvents":true, "DataResources": [{ "Type": "AWS::S3::Object", "Values": ["arn:aws:s3"] }] }]'

02 The command output should return the event selector metadata for the selected trail: 

{
    "EventSelectors": [
        {
            "IncludeManagementEvents": true,
            "DataResources": [
                {
                    "Values": [
                        "arn:aws:s3"
                    ],
                    "Type": "AWS::S3::Object"
                }
            ],
            "ReadWriteType": "All"
        }
    ],
    "TrailARN": "arn:aws:cloudtrail:us-east-1:123456789012:trail/cc-global-cloud-trail"
}

03 Repeat step no. 1 and 2 to enable Management events for other CloudTrail trails available in the current region.

04 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 - 3 to perform the entire process for other regions.

References

Publication date Oct 15, 2017

Related CloudTrail rules

Unlock the Remediation Steps

Gain free unlimited access
to our full Knowledge Base

Over 750 rules & best practices
for AWS and Azure

You are auditing:

CloudTrail Management Events

Risk level: Medium