AWS Cloudtrail

CloudTrail Not Logging Global API Calls

This plugin makes sure CloudTrail is set up to track global API requests

Risk Level: MEDIUM

Description:

This plugin makes sure CloudTrail is set up to track global API requests.


Recommended Action:  Enable CloudTrail for all regions and ensure that at least one region monitors global service events and API events.

About the Service :

AWS CloudTrail is an AWS service that allows you to manage your AWS account's governance, compliance, operational, and risk auditing. In CloudTrail, actions done by a user, role, or AWS service are recorded as events. Actions made in the AWS Management Console, AWS Command Line Interface, and AWS SDKs and APIs are all considered events.

Impact: 

Turning on API activity monitoring for global services like IAM, STS, and CloudFront that aren't region-specific gives you complete insight over all of your AWS services.

Steps to reproduce :

  1. Sign in to your AWS management console.
  2. Navigate to the CloudTrail dashboard at: https://console.aws.amazon.com/cloudtrail/
  3. On the left panel, select Trails.
  4. Look for the trail you want to examine.
  5. Click on it and scroll down to the Management events panel and check for the status of API activity.
  6. If the status is set to disabled, the selected trail is not currently recording API calls for global services such as IAM, STS or AWS CloudFront.

Steps for remediation :

  1. Sign in to your AWS management console.
  2. Navigate to the CloudTrail dashboard at: https://console.aws.amazon.com/cloudtrail/
  3. On the left panel, select Trails.
  4. Look for the trail you want to examine.
  5. Click on it and scroll down to the Management events panel and click on Edit.
  6. Apply following changes:
  7. Click Save changes to apply new settings.

References: