CloudTrail trails should be configured to log management events¶
Description¶
Management events provide visibility into management operations that are performed on resources in your AWS account. Management events can also include non-API events that occur in your account. For example, when a user logs in to your account, CloudTrail logs the ConsoleLogin event. CloudTrail logging enables security analysis, resource change tracking, and compliance auditing.
Remediation Steps¶
AWS Console¶
Navigate to CloudTrail.
In the left pane, select Trails.
Select the noncompliant trail.
Under Management Events, select Edit.
Under Event type, select Management Events.
Under Management Events, select Read and/or Write.
Select Save Changes.
AWS CLI¶
Be aware that the command to configure logging management events will overwrite your current data event settings. Before configuring the trail, check your settings first, replacing MYTRAILNAME with your trail name:
aws cloudtrail get-event-selectors --trail-name MYTRAILNAME
Copy the
DataResources
portion of the output. It’ll look something like this:"DataResources": [{ "Type": "AWS::S3::Object", "Values": ["arn:aws:s3:::MYBUCKETNAME1/prefix", "arn:aws:s3:::MYBUCKETNAME2/prefix2"] }]
To configure a trail to log management events (and retain your current data event settings), replace MYTRAILNAME with your trail name and change the values in
DataResources
to the output you copied from the previous command:aws cloudtrail put-event-selectors --trail-name MYTRAILNAME --event-selectors '[{ "ReadWriteType": "All", "IncludeManagementEvents":true, "DataResources": [{ "Type": "AWS::S3::Object", "Values": ["arn:aws:s3:::MYBUCKETNAME1/prefix", "arn:aws:s3:::MYBUCKETNAME2/prefix2"] }] }]'
CloudFormation¶
JSON¶
Ensure that AWS::CloudTrail::Trail contains the following:
{
"Properties": {
"EventSelectors": [{
"IncludeManagementEvents": true
}]
}
}
JSON Example Configuration¶
{
"Type": "AWS::CloudTrail::Trail",
"Properties": {
"CloudWatchLogsLogGroupArn": "arn:aws:log:us-east-2:000000000000:log-group:megabank-prod",
"IsLogging": true,
"EventSelectors": [
{
"IncludeManagementEvents": true
}
],
"S3BucketName": "yourbucketname"
}
#other required fields here
}
YAML¶
Ensure that AWS::CloudTrail::Trail contains the following:
Properties:
EventSelectors:
- IncludeManagementEvents: true
YAML Example Configuration¶
Type: AWS::CloudTrail::Trail
Properties:
CloudWatchLogsLogGroupArn: arn:aws:log:us-east-2:000000000000:log-group:megabank-prod
IsLogging: true
EventSelectors:
- IncludeManagementEvents: true
S3BucketName: yourbucketname
# other required fields here
Terraform¶
Ensure that the aws_cloudtrail resource has an
event_selector
block with theinclude_management_events
field set to “true”.
Example Configuration¶
resource "aws_cloudtrail" "example" {
event_selector {
include_management_events = true
}
# other required fields here
}