Amazon CloudTrail trail logs should be delivered to a destination S3 bucket
Risk Level: High
Description:
The Amazon CloudTrail trail log files are transferred to the destination S3 bucket using this plugin. To be used for security audits, Amazon CloudTrail trail logs should be delivered to a destination S3 bucket.
Recommended Action: Modify CloudTrail trail configurations so that logs are being delivered.
About the Service :
AWS CloudTrail is an AWS service that allows you to manage your AWS account's governance, compliance, operational, and risk auditing. In CloudTrail, actions done by a user, role, or AWS service are recorded as events. Actions made in the AWS Management Console, AWS Command Line Interface, and AWS SDKs and APIs are all considered events.
Impact:
When your Amazon CloudTrail trails fail to deliver log files to their intended recipients due to delivery failures or misconfigurations (typically involving your access controls), the logging data collected by these trails cannot be preserved and used for future security audits.
To maintain CloudTrail logging data for security and compliance audits, make sure the log files generated by your AWS CloudTrail trails are distributed to designated recipients without fail.
Steps to reproduce :
- Sign in to your AWS management console.
- Navigate to the CloudTrail dashboard at: https://console.aws.amazon.com/cloudtrail/
- On the left panel, select Trails.
- Click on the trail you want to examine.
- Check the value of the Last log file delivered attribute in the Storage location section (date). The selected AWS CloudTrail trail failed to deliver the last log file to the designated S3 bucket if the value has not been updated recently and a warning sign is displayed next to the attribute.
- Repeat steps no. 4 and 5 to identify other trails that failed to deliver their log files, available in the selected region as well as in other regions.
Steps for remediation :
- Sign in to your AWS management console.
- Navigate to the CloudTrail dashboard at: https://console.aws.amazon.com/cloudtrail/
- On the left panel, select Trails.
- Click on the trail you want to examine.
- To create a new S3 bucket and associate the trail with it, go to the selected trail configuration page and click the Edit icon next to the Storage location section.
- Select Yes next to Create a new S3 bucket and give the new bucket a unique name in the S3 bucket box. (Optional) In the Log file prefix box, you can also select a prefix for the log files.
- To save your changes, click Save. AWS CloudTrail will begin delivering log files to this new S3 bucket after it has been established and configured, and the Last log file delivered attribute value set for the selected trail will be updated.
- Repeat steps no. 4 – 7 to reconfigure other CloudTrail trails that failed to deliver the necessary log files, available in the current region as well as in other regions.
References:
- https://aws.amazon.com/cloudtrail/faqs/
- https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-user-guide.html