To set the CloudTrail setting, LogFileValidationEnabled, use the CLI:.AWS Config has a rule that will also detect if log file validation is not enabled.The CloudTrail log file validation setting, LogFileValidationEnabled, can be checked via CLI:.Enable file validation on all logs to provide additional integrity checking of CloudTrail logs.ĭata: 271 out of 1,485 CloudTrail logs (18%) do not have file validation enabled.Īnalysis: Log file validation is easy to turn on and should be enabled for all CloudTrail logs. This is invaluable in ensuring the integrity of the logs and determining if a log was changed or deleted after CloudTrail wrote the log. The CloudTrail setting, IsMultiRegionTrail, can be configured via CLI:īackground: A digitally-signed hash of each CloudTrail log can be created on the same S3 bucket where the CloudTrail logs are stored.AWS Config has a rule that will also detect if CloudTrail is not enabled for all regions.The CloudTrail configuration setting, IsMultiReegionTrail, can be checked via CLI:.CloudTrail should be enabled for all regions and regular, automated checks on CloudTrail configurations should be done to enforce this setting. Any violations should be immediately remediated. #Įnsure CloudTrail is enabled in all regionsĮnsure CloudTrail log file validation is enabledĮnsure the S3 bucket used to store CloudTrail logs is not publicly accessibleĮnsure CloudTrail trails are integrated with CloudWatch LogsĮnsure AWS Config is enabled in all regionsĮnsure S3 bucket access logging is enabled on the CloudTrail S3 bucketĮnsure CloudTrail logs are encrypted at rest using AWS KMS CMKsĮnsure rotation for customer created CMKs is enabledĮnsure VPC flow logging is enabled in all VPCsīackground: CloudTrail should be enabled for all regions to ensure complete activity logging is available, including activity in unused regions is detected.ĭata: In this dataset, 39 accounts (3.4%) do not have a CloudTrail enabled for all regions.Īnalysis: This control is crucial as it is a prerequisite for visibility into having logging enabled in the first place in all regions. They were analyzed against 1,485 CloudTrails, 11,101 VPCs, and 16,281 keys across 1,143 accounts in the Netskope customer dataset. These nine technical best practices involve logging configuration, including AWS CloudTrail, bucket access logging, and VPC flow logs. These should be reviewed to ensure they are integrated with a production log search service or SIEM. Ensure CloudTrail logs are integrated with CloudWatch or a SIEM: 54% of CloudTrails are not integrated with CloudWatch.Logging should be enabled for all CloudTrail S3 buckets. Ensure S3 bucket access logging is enabled for CloudTrail buckets: 41% of CloudTrail buckets do not have server access logging enabled.Encryption at rest supports data compliance controls and is easy to do. Encrypt CloudTrail logs at rest: 91% of CloudTrail logs are not encrypted at rest.Enable VPC flow logs : 81% of VPCs do not have VPC flow logging enabled, which will hinder incident response and investigations.Based on the Netskope dataset analyzed, we will highlight four opportunities to improve security: This blog post focuses on IAM security controls related to logging. Focus on practical guidance for applying the Benchmark to your specific environment.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |