What Is AWS CloudTrail?
AWS CloudTrail is an AWS service that lets you identify activities across your AWS account. It records actions taken by a user, role, or an AWS service as events. These events include actions in the AWS Management Console, AWS CLI, SDKs and APIs.
CloudTrail is by default enabled on your AWS account when you create it and store data for 90 days. In addition, you can create a CloudTrail trail to analyze, archive and respond to changes in AWS resources. A trail is a configuration that stores and delivers events to Amazon S3 bucket.
Checklist to secure AWS CloudTrail:
- Enable CloudTrail across all AWS regions: This will enable CloudTrail logging across all regions of your AWS environment, thus monitoring every configured activity.
- Enable MFA for CloudTrail S3 bucket access: With MFA turned on for accessing CloudTrail designated S3 buckets, chances of infiltrators deleting logs are almost zero.
- Enable S3 bucket logging: Enabling S3 logging ensures all the S3 actions are tracked, thus helping in forensic and audits.
- Create an S3 Lifecycle: You can define an S3 lifecycle rules to archive CloudTrail log files automatically.
- Access Controls for CloudTrail S3 buckets: Create a bucket policy that allows only required resources to have access to these logs.
- Encrypt logs at rest: CloudTrail event log files are encrypted using Amazon S3 server-side encryption (SSE). One can choose to encrypt using AWS KMS as well.
- Cloudwatch Alarm for CloudTrail: Create a metric and an alarm, for events like CloudTrail S3 logs deleted.
We have a competent and excellent team of QA experts, who can help you with more details on it.
Drop your queries at firstname.lastname@example.org to schedule a meeting with our experts.