Logo of Trend Micro

AWS CloudTrail Referencing Missing SNS Topic

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: Medium (should be achieved)

Ensure that your AWS CloudTrail trails are referencing active Simple Notification Service (SNS) topics in order to receive a notification for every log file delivery made to your S3 bucket.

Operational
excellence

When your trails are not referencing active SNS topics anymore, Amazon cannot send notifications each time CloudTrail publishes new log files to your S3 bucket, therefore you lose the ability to take immediate actions based on the logging information received from CloudTrail.

Audit

To identify any trails that are missing the capability to send notifications on log file delivery due to inactive SNS topics, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to CloudTrail dashboard at https://console.aws.amazon.com/cloudtrail/

03 In the left navigation panel, select Trails.

04 Choose the trail that you want to examine then click on its identifier (link) to access the configuration page.

05 Verify the trail configuration page for any AWS error messages. If the "Problem with SNS topic. Your topic may not exist. " error message is displayed, i.e.

Error Message

the associated SNS topic is no longer available, therefore the selected CloudTrail trail will not be able to stream data for SNS notifications whenever new log files are delivered.

06 Repeat step no. 4 and 5 to identify other trails with inactive SNS topics, available in the selected region.

07 Change the AWS region from the navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run describe-trails command (OSX/Linux/UNIX) to list the names of all CloudTrail trails currently available within the selected AWS region: 

aws cloudtrail describe-trails
	--region us-east-1
	--output table
	--query 'trailList[*].Name'

02 The command output should return a table with the requested trail names: 

--------------------------
|     DescribeTrails     |
+------------------------+
|  CloudConformityTrail  |
|  GlobalAWSCloudTrail   |
+------------------------+

03 Run again describe-trails command (OSX/Linux/UNIX) using the name of the trail returned at the previous step and custom query filters to get the Amazon Resource Name (ARN) of the SNS topic associated with the selected trail: 

aws cloudtrail describe-trails
	--region us-east-1
	--trail-name-list CloudConformityTrail
	--query 'trailList[*].SnsTopicName'

04 The command output should return the ARN of the requested SNS topic: 

[
    "arn:aws:sns:us-east-1:123456789012:CloudTrailSNSTopic"
]

05 Run get-topic-attributes command (OSX/Linux/UNIX) using the ARN returned at the previous step to describe the configuration information for the selected SNS topic: 

aws sns get-topic-attributes
	--region us-east-1
	--topic-arn "arn:aws:sns:us-east-1:123456789012:CloudTrailSNSTopic"

06 The command output should return the requested topic metadata or an error message: 

An error occurred (NotFound) when calling the GetTopicAttributes operation: Topic does not exist

If the CLI command respond with an NotFound error message (as shown in the example above), the requested SNS topic has been deleted after the trail was created, therefore the selected CloudTrail trail will not be able to stream data to the missing SNS topic in order to receive notifications each time a new log file is published to the designated S3 bucket.

07 Repeat steps no. 3 - 6 to identify other trails with unavailable SNS topics, created within the selected region.

08 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 - 7 to perform the entire audit process for other regions.

Remediation / Resolution

To update any Amazon CloudTrail trails associated with missing SNS topics, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to CloudTrail dashboard at https://console.aws.amazon.com/cloudtrail/

03 In the navigation panel, select Trails.

04 Choose the CloudTrail trail that you want to reconfigure (see Audit section part I to identify the right resource) then click on its identifier to access the configuration page.

05 On the selected trail configuration page, click the Edit icon:

Edit icon

available next to the Storage location section, to update the trail reference to the SNS topic.

06 Select Yes next to Create a new SNS topic and enter a name for your new topic inside the SNS topic box.

07 Click Save to create the SNS topic required and apply the appropriate permissions to receive notifications whenever trail log files are delivered to the required Amazon S3 bucket.

08 Now go to SNS dashboard at https://console.aws.amazon.com/sns/v2/.

09 Choose Topics from the left navigation panel.

10 Select the SNS topic created at step no. 6, click the Actions dropdown menu from the dashboard top menu and select Subscribe to topic option.

11 In the Create subscription dialog box, select Email from the Protocol dropdown list and provide the email address where you can receive notifications within the Endpoint box.

12 Click Create Subscription to apply the new subscription to the selected SNS topic.

13 Use your email client application and open the message from AWS Notifications, then click on the appropriate link to confirm your subscription.

14 Repeat steps no. 4 – 13 to reconfigure other CloudTrail trails with missing SNS topics, available in the current region.

15 Change the AWS region from the navigation bar and repeat the process for other regions.

Using AWS CLI

01 First, run create-topic command (OSX/Linux/UNIX) to create a new AWS SNS topic for sending notifications: 

aws sns create-topic
	--region us-east-1
	--name NewCloudTrailSNSTopic

02 The command output should return the newly created SNS topic ARN: 

{
    "TopicArn": "arn:aws:sns:us-east-1:123456789012:NewCloudTrailSNSTopic"
}

03 Run subscribe command (OSX/Linux/UNIX) to subscribe to the SNS topic created at the previous step using email as subscription protocol: 

aws sns subscribe
	--region us-east-1
	--topic-arn arn:aws:sns:us-east-1:123456789012:NewCloudTrailSNSTopic
	--protocol email
	--notification-endpoint audit@cloudconformity.com

04 The command output should return the "pending confirmation" status: 

{
    "SubscriptionArn": "pending confirmation"
}

05 Run confirm-subscription command (OSX/Linux/UNIX) to confirm the subscription by validating the token sent to the notification endpoint (email address) selected at the previous step (the command does not return an output): 

aws sns confirm-subscription
	--region us-east-1
	--topic-arn arn:aws:sns:us-east-1:123456789012:NewCloudTrailSNSTopic
	--token 8433392f37fb687f5d51e6e241d7700ae02f7124d8268910b858cb4db727ceeb2474bb937929d3bdd7ce5d0cce19325d036bc855d3c217426bcafa9c501a2cace93b83f1dd3797627467553dc438a8c974119496fc3eff026eaa5d14472ded6f9a5c43aec62d83ef5f49109da715401

06 Run update-trail command (OSX/Linux/UNIX) using the name of the trail that you want to update (see Audit section part II to identify the right CloudTrail resource) to reconfigure the trail by attaching the new SNS topic created at step no. 1: 

aws cloudtrail update-trail
	--region us-east-1
	--name CloudConformityTrail
	--sns-topic-name NewCloudTrailSNSTopic

07 The command output should return the selected trail updated configuration details: 

{
    "IncludeGlobalServiceEvents": true,
    "Name": "CloudConformityTrail",
    "LogFileValidationEnabled": true,

    ...

    "IsMultiRegionTrail": true,
    "S3BucketName": "cc-trail-bucket",
    "SnsTopicName": "NewCloudTrailSNSTopics"
}

08 Repeat steps no. 1 – 7 to reconfigure other Amazon CloudTrail trails with missing SNS topics, available in the current region.

09 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 - 7 to perform the entire process for other regions.

References

Publication date Apr 24, 2016

Related CloudTrail rules

Unlock the Remediation Steps

Gain free unlimited access
to our full Knowledge Base

Over 750 rules & best practices
for AWS and Azure

You are auditing:

AWS CloudTrail Referencing Missing SNS Topic

Risk level: Medium