How to secure your AWS CloudTrail?
AWS CloudTrail Service
AWS CloudTrail is a service that allows facilitating governance, compliance, and operational & risk auditing of the AWS account. It records actions as events taken by a user, role, or service. It records a log of entire API calls in AWS tenants and their services. It simplifies visibility within the Aws tenant with the ability to view, search, download, archive, analyze and respond to account activity across the Aws infrastructure. An audit trail of all operations across an AWS architecture can be achieved with regular monitoring and post-incident forensic analysis of all log files of CloudTrail and stored in a predefined S3 bucket.
A trail of events can be built, which allows you to view, search, and download the past 90 days in the AWS account. Two trails can be primarily created:
Trail applied to a single region: This is a default option when a trail is created.
Trail applied to all regions: One can only update a single-region trail to log all regions using the AWS CLI.
CloudTrail workflow Advantages:
Regular Activity Monitoring — The ability to monitor activities helps customers monitor user activities and check out the resources used by business employees. One can detect improper or insecure modifications to resources or services and automatically make the entire security misconfiguration settings.
Streamlined Compliance — CloudTrail service streamlines a company’s compliance demands by automating the collection of activities and action logs using event identification in an AWS tenant.
Data Security Auditing — Uncover changes made in AWS accounts. Administrators can investigate the team's operations and point out if something new emerges. It provides the ability to track how data is kept and transferred comprehensively.
AWS CloudTrail Security Best Practices
Enable CloudTrail in AWS globally: Apply global CloudTrail logging to institute logs for all the AWS services.
Enable CloudTrail Log File Validation: Validating log files is very important as integrity can be maintained. Any modifications such as insertion, alteration, or deletion caused in the log file after submission to S3 buckets can be detected.
Enable CloudTrail Multi-region Logging: Keep track of changes performed in production resources, investigate incidents, and create an audit trail for compliance by tracking API call history
Integrate CloudTrail with CloudWatch: CloudWatch can be used for monitoring, storing, and accessing log files from CloudTrail, EC2 instances, and other sources. The blend encourages historical activity and real-time logging based on API, resource, IP address, and users.
Limit access to the AWSCloudTrail_FullAccess: Limit the ability to disable or reconfigure sensitive and critical information using the least privilege model. Disable shared AWS accounts
Enable MFA to Delete CloudTrail Buckets: When an AWS tenant is compromised, the first step that an attacker will try and achieve is persistence. It would be achievable by deleting CloudTrail logs for recording their tracks and shelving detection. By enabling Multi-factor Authentication, an attacker will find it more challenging to destroy logs and stay invisible.
Use server-side encryption with AWS KMS managed keys: When CloudTrail delivers log files to the storage bucket, they are by default encrypted by Amazon SSE-S3. One can use SSE-AWS KMS-managed keys as an added layer of protection. Create and manage an AWS KMS Key
"StringNotEquals": { "s3:x-amz-server-side-encryption": ["aws:kms", "AES256"] } 