Ensure there is a CloudWatch alarm created in your AWS account that is triggered each time a configuration change is made at the CloudTrail service level. The alarm must fire when an API call is made to create, update or delete an AWS CloudTrail trail or when the logging process defined by a trail is stopped or started.
This rule can help you with the following compliance standards:
- The Center of Internet Security AWS Foundations Benchmark
- Payment Card Industry Data Security Standard (PCI DSS)
- General Data Protection Regulation (GDPR)
- NIST 800-53 (Rev. 4)
This rule can help you work with the AWS Well-Architected Framework
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
Using CloudWatch alarms to detect AWS CloudTrail config changes can help you to maintain the integrity of the service configuration and prevent AWS users from covering their tracks after performing unauthorized actions within your AWS account.
Note 1: For this rule Cloud Conformity assumes that the CloudTrail service is already enabled to stream event log data to CloudWatch in your AWS account, otherwise see this rule to enable AWS Cloudtrail – CloudWatch integration.
Note 2: You can specify a custom name for the alarm using the rule configuration settings available on Cloud Conformity dashboard. Otherwise, the default name used for this rule will be “CloudTrail Changes”.
To determine if you have any CloudWatch alarms that are currently monitoring AWS CloudTrail configuration changes, perform the following:
Remediation / Resolution
Step 1: Create a Simple Notification Service (SNS) topic and the necessary subscriptions to send notifications whenever the CloudWatch alarm is triggered.
Step 2: Create AWS CloudWatch metric filter and the required alarm that will send SNS notifications whenever an AWS CloudTrail configuration change is being made.
- AWS Documentation
- Amazon CloudWatch Concepts
- Creating CloudWatch Alarms for CloudTrail Events: Examples
- Sending CloudTrail Events to CloudWatch Logs
- Create a Topic
- Subscribe to a Topic
Unlock the Remediation Steps
Gain free unlimited access
to our full Knowledge Base
Over 750 rules & best practices
Get started for FREE
You are auditing:
CloudTrail Changes Alarm
Risk level: Medium