This plugin makes sure CloudTrail is set up to track global API requests
Risk Level: MEDIUM
Description:
This plugin makes sure CloudTrail is set up to track global API requests.
Recommended Action: Enable CloudTrail for all regions and ensure that at least one region monitors global service events and API events.
About the Service :
AWS CloudTrail is an AWS service that allows you to manage your AWS account's governance, compliance, operational, and risk auditing. In CloudTrail, actions done by a user, role, or AWS service are recorded as events. Actions made in the AWS Management Console, AWS Command Line Interface, and AWS SDKs and APIs are all considered events.
Impact:
Turning on API activity monitoring for global services like IAM, STS, and CloudFront that aren't region-specific gives you complete insight over all of your AWS services.
Steps to reproduce :
- Sign in to your AWS management console.
- Navigate to the CloudTrail dashboard at: https://console.aws.amazon.com/cloudtrail/
- On the left panel, select Trails.
- Look for the trail you want to examine.
- Click on it and scroll down to the Management events panel and check for the status of API activity.
- If the status is set to disabled, the selected trail is not currently recording API calls for global services such as IAM, STS or AWS CloudFront.
Steps for remediation :
- Sign in to your AWS management console.
- Navigate to the CloudTrail dashboard at: https://console.aws.amazon.com/cloudtrail/
- On the left panel, select Trails.
- Look for the trail you want to examine.
- Click on it and scroll down to the Management events panel and click on Edit.
- Apply following changes:
- Click Save changes to apply new settings.
References: