π‘οΈ AWS CloudTrail Configuration Changes Monitoring is not enabledπ’βͺ
- Contextual name: π‘οΈ Configuration Changes Monitoring is not enabledπ’βͺ
- ID:
/ce/ca/aws/cloudtrail/configuration-changes-monitoring - Tags:
- βͺ Impossible policy
- π’ Policy with categories
- π’ Policy with type
- Policy Type:
COMPLIANCE_POLICY - Policy Categories:
SECURITY
Similar Policiesβ
- Cloud Conformity: CloudTrail Changes Alarm
- Internal:
dec-x-b1028741
Similar Internal Rulesβ
| Rule | Policies | Flags |
|---|---|---|
| βοΈ dec-x-b1028741 | 1 |
Descriptionβ
Descriptionβ
Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs, or an external Security information and event management (SIEM) environment, where metric filters and alarms can be established.
It is recommended that a metric filter and alarm be utilized for detecting changes to CloudTrail's configurations.
Rationaleβ
CloudWatch is an AWS native service that allows you to observe and monitor resources and applications. CloudTrail logs can also be sent to an external Security Information and Event Management (SIEM) environment for monitoring and alerting.
Monitoring changes to CloudTrail's configuration will help ensure sustained visibility into the activities performed in the AWS account.
Impactβ
Ensuring that changes to CloudTrail configurations are monitored enhances security by maintaining the integrity of logging mechanisms. Automated monitoring can provide real-time alerts; however, it may require additional setup and resources to configure and manage these alerts effectively. These steps can be performed manually within a
... see more
Remediationβ
Remediationβ
If you are using CloudTrails and CloudWatch, perform the following to setup the metric filter, alarm, SNS topic, and subscription:
- Create a metric filter based on filter pattern provided which checks for cloudtrail configuration changes and the
<cloudtrail_log_group_name>taken from audit step 1:aws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> --filter-name <cloudtrail_cfg_changes_metric> --metric-transformations metricName=<cloudtrail_cfg_changes_metric>, metricNamespace='CISBenchmark', metricValue=1 --filter-pattern '{ ($.eventName = CreateTrail) || ($.eventName = UpdateTrail) || ($.eventName = DeleteTrail) || ($.eventName = StartLogging) || ($.eventName = StopLogging) }'Note: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.
- Create an SNS topic that the alarm will notify:
aws sns create-topic --name <sns_topic_name>Note: you can execute this command once and then re-use the same topic for all monitoring alarms.
... see more