Ensure that all your AWS CloudTrail trails are configured to log Management events in order to record important operations such as EC2 RunInstances, DescribeInstances, TerminateInstances and Console Login (basically all events that are not data events).
This rule can help you with the following compliance standards:
This rule can help you work with the AWS Well-Architected Framework
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
Management events are operations that occur when working with AWS resources and recording them is a good security practice. For example, if an IAM user within your organization terminates an EC2 instance that has a crucial role within your application stack, the instance is lost completely and the TerminateInstances event is not recorded so there is no way for the account Administrator to determine who terminated the instance by analyzing the Cloudtrail logs.
Audit
To identify any trails that are missing the capability to log Management events, perform the following actions:
Remediation / Resolution
To enable Management events for all CloudTrail trails available within your AWS account, perform the following:
References
- AWS Documentation
- AWS CloudTrail FAQs
- Logging Data and Management Events for Trails
- Updating a Trail
- AWS Command Line Interface (CLI) Documentation
- cloudtrail
- describe-trails
- get-event-selectors
- put-event-selectors
Unlock the Remediation Steps
Gain free unlimited access
to our full Knowledge Base
Over 750 rules & best practices
for and
Get started for FREE
You are auditing:
CloudTrail Management Events
Risk level: Medium