Best Practices for Using AWS CloudTrail

Best Practices for Using AWS CloudTrail

Every user action can and should be tracked. On cloud platforms like AWS, user actions and service events interact with the platform’s management interfaces, whether with the web console or the API, which allows most things that happen in your cloud environment to be logged. 

The transparency provided by comprehensive logging is one of the cloud’s most consequential security and compliance benefits. Using logs allows you to record all processing data so that you can track access and user actions to identify potential errors. Businesses that use AWS must also understand how to leverage the platform’s tools to achieve the visibility they need to improve security, compliance, and governance through logging. AWS CloudTrail is one of the foremost logging tools offered today to help you achieve that visibility. 

What Is AWS CloudTrail?

AWS CloudTrail is a logging service that records account activity across your AWS environment. When users, roles, or services carry out an action, it is recorded as a CloudTrail event. You can view events in the  CloudTrail console’s event history interface, and, by default, CloudTrail retains logs for the last 90 days. 

AWS CloudTrail Best Practices

As with all AWS services. users must configure AWS CloudTrail correctly to leverage its security, governance, and compliance capabilities. The best practice tips below will allow you to optimize your use of AWS CloudTrail.

Create a Trail

While CloudTrail provides some useful logging capabilities out of the box, creating a trail makes the service far more capable, comprehensive, and configurable. Trails allow you to specify where your monitored resources and recorded events will be sent.  These are sent as log files to an Amazon S3 bucket that you specify.  CloudTrail stores events as a JSON object with information such as the time at which an event occurred, who made the request, the resources that were affected, and more.

This is particularly important for companies that require a permanent long-term record of cloud activity for compliance purposes Without a trail, CloudTrail deletes logs after 90 days. 

Enable CloudTrail in All Regions

Unless a trail is intended to focus exclusively on a specific region, you should enable CloudTrail logging for all regions. Enabling CloudTrail for all regions maximizes insight into activity on your AWS environment and ensures that issues don’t go unnoticed because they occur in an unlogged region. 

Ensure CloudTrail Is Integrated With CloudWatch

CloudTrail is most useful if it is integrated with AWS CloudWatch. While CloudTrail generates and stores comprehensive logs, they aren’t actionable unless they are available to users in a form that is easy to interpret and analyze. That’s CloudWatch’s primary role; it allows users to visualize and analyze logs and provides sophisticated alerting and automation capabilities based on logged events. 

Store CloudTrail Logs in a Dedicated S3 Bucket

CloudTrail stores trails in an S3 bucket. As we’ll see in a moment, it’s essential to control access to this bucket because it contains information that could be useful to a malicious actor. Implementing an effective access policy for CloudTrail logs is easier if they are stored in a dedicated bucket used only for that purpose. 

Enable Logging on the CloudTrail S3 Bucket

Amazon S3’s server access logs record bucket access requests, helping administrators to understand who has accessed CloudTrail logs, information that may be useful during compliance audits, risk assessments, and security incident analysis. We recommend configuring the CloudTrail S3 bucket to generate server access logs and store them in a different bucket, which also has secure access controls. 

Configure Least Privileged Access to CloudTrail Logs

As we have discussed in previous articles on AWS security, S3 buckets are often misconfigured so that their contents are publicly accessible. Exposing sensitive log data in this way creates a critical vulnerability. S3 buckets that store CloudTrail logs should not be publicly accessible. Only AWS account users who have a well-defined reason to view logs should be given access to the bucket, and access permissions should be reviewed regularly. 

Encrypt CloudTrail Log With KMS CMKs

CloudTrail logs are encrypted by default using S3-managed encryption keys. To gain greater control over log security, you can instead use encryption with customer-created master keys (CMK) managed in AWS Key Management Services

There are several benefits to using CMKs instead of the S3’s default server-side encryption. CMK’s are under your control, so you can rotate and disable them. Additionally, CMK use can be logged by CloudTrail, providing a record of who used the keys and when they used them. 

Use CloudTrail Log File Integrity Validation

AWS CloudTrail logs play an essential role in the security and compliance of your AWS environment. As such, you must be able to determine the integrity of log files. If a bad actor gains access to AWS resources, they may delete or edit logs to obscure their presence. CloudTrail log file validation generates a digital signature of log files uploaded to your S3 bucket. The signature digest files can be used to verify that logs have not been edited or otherwise tampered with. 

Define a Retention Policy for Logs Stored in S3

CloudTrail trails are stored indefinitely, which may be the right approach for your business. However, if you have different compliance or administrative requirements, you can set a retention policy using S3’s object lifecycle management rules. Management rules can archive log files to an alternative storage service, such as Amazon Glacier, or automatically delete them once they exceed the required retention period. 

Are Your Business’s AWS CloudTrail Logs Secure and Compliant

As a licensed CPA firm specializing in information security auditing and consulting, KirkpatrickPrice can help your business verify its cloud configurations, including CloudTrail configurations, through the following services: 

  • AWS Security Scanner: an automated cloud security tool that performs over 50 checks on your AWS environment, including controls related to AWS CloudTrail security.
  • Cloud security assessments: expert assessments to verify your cloud environment is configured securely. 
  • Cloud security audits: Comprehensive cloud audits that test your AWS, GCP, or Azure environment against a framework based on the Center for Internet Security (CIS) benchmarks. 

Contact a cloud security specialist to learn more about how KirkpatrickPrice can help your business to enhance and verify the security, privacy, and compliance of its cloud infrastructure.