AWS Cloudtrail
      Back to home
      1. CNS Policies
      2. AWS Knowledge Base
      3. AWS Cloudtrail

      CloudTrail Management Events Disabled

      This plugin guarantees that management events are logged in the AWS CloudTrail trail

      Risk Level: MEDIUM

      Description:

      This plugin guarantees that management events are logged in the AWS CloudTrail trail. The AWS CloudTrail trail should be configured to log management events in order to keep track of management actions on your AWS account's resources.


      Recommended Actions: Update CloudTrail to enable management events logging.

      About the Service :

      AWS CloudTrail is an AWS service that allows you to manage your AWS account's governance, compliance, operational, and risk auditing. In CloudTrail, actions done by a user, role, or AWS service are recorded as events. Actions made in the AWS Management Console, AWS Command Line Interface, and AWS SDKs and APIs are all considered events.

      Impact: 

      To record essential actions like EC2 RunInstances, DescribeInstances, TerminateInstances, and Console Login, make sure all of your AWS CloudTrail trails are configured to report Management events (basically all events that are not data events).

      Steps to reproduce :

      1. Sign in to your AWS management console.
      2. Navigate to the CloudTrail dashboard at: https://console.aws.amazon.com/cloudtrail/
      3. On the left panel, select Trails.
      4. Look for the trail you want to examine.
      5. Scroll down to the Management Events panel and check for the value of Read/Write events attribute.
      6. If the attribute current value is set to None, the Management events are not included in the selected Amazon Cloudtrail trail logging configuration.
      7. Repeat step no. 4 - 6 to identify other trails that are missing the capability to log Management events, in the current region as well as in different AWS regions.

      Steps for remediation :


      1. Sign in to your AWS management console.
      2. Navigate to the CloudTrail dashboard at: https://console.aws.amazon.com/cloudtrail/
      3. On the left panel, select Trails.
      4. Look for the trail you want to examine.
      5. Scroll down to the Management Events panel and click on Edit.
      6. In the Read/Write Event Settings:
        1. Choose the Read-only option for read API operations.
        2. Choose the Write-only option for create, update and delete API operation.
        3. All option (recommended) for both read and write API operations.
      7. Click on Save changes.
      8. Repeat step no. 4 - 7 to edit other trails that are missing the capability to log Management events, in the current region as well as in different AWS regions.

      References: