CloudTrail trails should be configured to log management events

Description

Management events provide visibility into management operations that are performed on resources in your AWS account. Management events can also include non-API events that occur in your account. For example, when a user logs in to your account, CloudTrail logs the ConsoleLogin event. CloudTrail logging enables security analysis, resource change tracking, and compliance auditing.

Console Remediation Steps

  • Navigate to CloudTrail.

  • In the left pane, select Trails.

  • Select the noncompliant trail.

  • Under Management Events, select Edit.

  • Under Event type, select Management Events.

  • Under Management Events, select Read and/or Write.

  • Select Save Changes.

CLI Remediation Steps

  • Be aware that the command to configure logging management events will overwrite your current data event settings. Before configuring the trail, check your settings first, replacing MYTRAILNAME with your trail name:

    • aws cloudtrail get-event-selectors --trail-name MYTRAILNAME

  • Copy the DataResources portion of the output. It’ll look something like this: "DataResources": [{ "Type": "AWS::S3::Object", "Values": ["arn:aws:s3:::MYBUCKETNAME1/prefix", "arn:aws:s3:::MYBUCKETNAME2/prefix2"] }]

  • To configure a trail to log management events (and retain your current data event settings), replace MYTRAILNAME with your trail name and change the values in DataResources to the output you copied from the previous command:

    • aws cloudtrail put-event-selectors --trail-name MYTRAILNAME --event-selectors '[{ "ReadWriteType": "All", "IncludeManagementEvents":true, "DataResources": [{ "Type": "AWS::S3::Object", "Values": ["arn:aws:s3:::MYBUCKETNAME1/prefix", "arn:aws:s3:::MYBUCKETNAME2/prefix2"] }] }]'