CloudTrail trails should be configured to log management events

Description

Management events provide visibility into management operations that are performed on resources in your AWS account. Management events can also include non-API events that occur in your account. For example, when a user logs in to your account, CloudTrail logs the ConsoleLogin event. CloudTrail logging enables security analysis, resource change tracking, and compliance auditing.

Remediation Steps

AWS Console

• Navigate to CloudTrail.

• In the left pane, select Trails.

• Select the noncompliant trail.

• Under Management Events, select Edit.

• Under Event type, select Management Events.

• Under Management Events, select Read and/or Write.

• Select Save Changes.

AWS CLI

• Be aware that the command to configure logging management events will overwrite your current data event settings. Before configuring the trail, check your settings first, replacing MYTRAILNAME with your trail name:

  • aws cloudtrail get-event-selectors --trail-name MYTRAILNAME

• Copy the DataResources portion of the output. It’ll look something like this: "DataResources": [{ "Type": "AWS::S3::Object", "Values": ["arn:aws:s3:::MYBUCKETNAME1/prefix", "arn:aws:s3:::MYBUCKETNAME2/prefix2"] }]

• To configure a trail to log management events (and retain your current data event settings), replace MYTRAILNAME with your trail name and change the values in DataResources to the output you copied from the previous command:

  • aws cloudtrail put-event-selectors --trail-name MYTRAILNAME --event-selectors '[{ "ReadWriteType": "All", "IncludeManagementEvents":true, "DataResources": [{ "Type": "AWS::S3::Object", "Values": ["arn:aws:s3:::MYBUCKETNAME1/prefix", "arn:aws:s3:::MYBUCKETNAME2/prefix2"] }] }]'

CloudFormation

JSON

• Ensure that AWS::CloudTrail::Trail contains the following:

{
  "Properties": {
    "EventSelectors": [{
      "IncludeManagementEvents": true
    }]
  }
}

JSON Example Configuration

{
  "Type": "AWS::CloudTrail::Trail",
  "Properties": {
    "CloudWatchLogsLogGroupArn": "arn:aws:log:us-east-2:000000000000:log-group:megabank-prod",
    "IsLogging": true,
    "EventSelectors": [
      {
        "IncludeManagementEvents": true
      }
      ],
    "S3BucketName": "yourbucketname"
    }
  #other required fields here
}

YAML

• Ensure that AWS::CloudTrail::Trail contains the following:

Properties:
  EventSelectors:
  - IncludeManagementEvents: true

YAML Example Configuration

Type: AWS::CloudTrail::Trail
Properties:
  CloudWatchLogsLogGroupArn: arn:aws:log:us-east-2:000000000000:log-group:megabank-prod
  IsLogging: true
  EventSelectors:
  - IncludeManagementEvents: true
  S3BucketName: yourbucketname
# other required fields here

Terraform

• Ensure that the aws_cloudtrail resource has an event_selector block with the include_management_events field set to “true”.

Example Configuration

resource "aws_cloudtrail" "example" {
  event_selector {
     include_management_events = true
  }
  # other required fields here
}

Documentation Links

Runtime

• AWS CloudTrail Management Events

• Console: Logging Management Events

• CLI: Logging Management Events

CloudFormation

• AWS::CloudTrail::Trail

• AWS::CloudTrail::Trail EventSelector

Terraform

• Resource: aws_cloudtrail

  • Field: event_selector.include_management_events