AWS Cloudtrail

CloudTrail Global Services Logging Duplicated

This plugin prevents AWS CloudTrail trails in log files from repeating global services events

Risk Level: MEDIUM

Description:

This plugin prevents AWS CloudTrail trails in log files from repeating global services events. To avoid duplication of global services events in log files, only one trail should have the Include Global Services option enabled.


Recommended Action: Update CloudTrail trail to log global services events enabled for only one trail.

About the Service :

AWS CloudTrail is an AWS service that allows you to manage your AWS account's governance, compliance, operational, and risk auditing. In CloudTrail, actions done by a user, role, or AWS service are recorded as events. Actions made in the AWS Management Console, AWS Command Line Interface, and AWS SDKs and APIs are all considered events.

Impact: 

Having multiple single-region trails in your AWS account can lead to duplicate logging of events since all the single-regions trails will log the event  in the Cloudtrail aggregated log

 

Steps to reproduce ( Using AWS CLI ):

  1. To list all Amazon CloudTrail trails accessible in the given AWS region, use the describe-trails command on the command prompt:
     " aws cloudtrail describe-trails ".
  2. The configuration information of all the trails in the specified region will be shown.
  3. Check the value of the IncludeGlobalServiceEvents attribute.
  4. If its value is set to “true”, the selected Amazon CloudTrail trail is recording global service events within the selected AWS region.
  5. Change the aws region using the --region command and repeat steps no. 1-3  for other regions with active trails enabled.
  6. If the value of  IncludeGlobalServiceEvents is true for more than one single-region trail in your AWS account then the global events recorded are being duplicated in the Cloudtrail aggregated logs.

Steps for remediation :

  1. Run update-trail command using the name of the trail you want to reconfigure, specifying name of its home region as follows:
     " aws cloudtrail update-trail --name <name_of_trail>  --region us-east-1 --no-include-global-service-events --no-is-multi-region-trail "
  2. Following output should be presented as per request:
  3. Change the aws region using the --region command and repeat steps no. 1 and 2  for other regions with active trails enabled.
  4. Make sure that one and only one single-region trail records the global service events in order to avoid any duplicate entries in the Cloudtrail aggregated logs.

References: