AWS CloudTrail provides a number of security features to consider as you develop and implement your own security policies. The following best practices are general guidelines and don’t represent a complete security solution. Because these best practices might not be appropriate or sufficient for your environment, treat them as helpful considerations rather than prescriptions. Show
Topics
CloudTrail detective security best practicesCreate a trail For an ongoing record of events in your AWS account, you must create a trail. Although CloudTrail provides 90 days of event history information for management events in the CloudTrail console without creating a trail, it is not a permanent record, and it does not provide information about all possible types of events. For an ongoing record, and for a record that contains all the event types you specify, you must create a trail, which delivers log files to an Amazon S3 bucket that you specify. To help manage your CloudTrail data, consider creating one trail that logs management events in all AWS Regions, and then creating additional trails that log specific event types for resources, such as Amazon S3 bucket activity or AWS Lambda functions. The following are some steps you can take:
Apply trails to all AWS Regions To obtain a complete record of events taken by a user, role, or service in your AWS account, each trail should be configured to log events in all AWS Regions. By logging events in all AWS Regions, you ensure that all events that occur in your AWS account are logged, regardless of which AWS Region where they occurred. This includes logging global service events, which are logged to an AWS Region specific to that service. When you create a trail that applies to all regions, CloudTrail records events in each region and delivers the CloudTrail event log files to an S3 bucket that you specify. If an AWS Region is added after you create a trail that applies to all regions, that new region is automatically included, and events in that region are logged. This is the default option when you create a trail in the CloudTrail console. The following are some steps you can take:
Enable CloudTrail log file integrity Validated log files are especially valuable in security and forensic investigations. For example, a validated log file enables you to assert positively that the log file itself has not changed, or that particular user credentials performed specific API activity. The CloudTrail log file integrity validation process also lets you know if a log file has been deleted or changed, or assert positively that no log files were delivered to your account during a given period of time. CloudTrail log file integrity validation uses industry standard algorithms: SHA-256 for hashing and SHA-256 with RSA for digital signing. This makes it computationally unfeasible to modify, delete or forge CloudTrail log files without detection. For more information, see Enabling validation and validating files. Integrate with Amazon CloudWatch Logs CloudWatch Logs allows you to monitor and receive alerts for specific events captured by CloudTrail. The events sent to CloudWatch Logs are those configured to be logged by your trail, so make sure you have configured your trail or trails to log the event types (management events and/or data events) that you are interested in monitoring. For example, you can monitor key security and network-related management events, such as failed AWS Management Console sign-in events. The following are some steps you can take:
CloudTrail preventative security best practicesThe following best practices for CloudTrail can help prevent security incidents. Log to a dedicated and centralized Amazon S3 bucket CloudTrail log files are an audit log of actions taken by a user, role or an AWS service. The integrity, completeness and availability of these logs is crucial for forensic and auditing purposes. By logging to a dedicated and centralized Amazon S3 bucket, you can enforce strict security controls, access, and segregation of duties. The following are some steps you can take:
Use server-side encryption with AWS KMS managed keys By default, the log files delivered by CloudTrail to your bucket are encrypted by Amazon server-side encryption with Amazon S3-managed encryption keys (SSE-S3). To provide a security layer that is directly manageable, you can instead use server-side encryption with AWS KMS–managed keys (SSE-KMS) for your CloudTrail log files. To use SSE-KMS with CloudTrail, you create and manage an AWS KMS key, also known as a KMS key. If you use SSE-KMS and log file validation, and you have modified your Amazon S3 bucket policy to only allow SSE-KMS encrypted files, you will not be able to create trails that utilize that bucket unless you modify your bucket policy to specifically allow AES256 encryption, as shown in the following example policy line.
The following are some steps you can take:
Add a condition key to the default Amazon SNS topic policy When you configure a trail to send notifications to Amazon SNS, CloudTrail adds a policy statement to your SNS topic access policy that allows CloudTrail to send
content to an SNS topic. As a security best practice, we recommend adding an Implement least privilege access to Amazon S3 buckets where you store log files CloudTrail trails log events to an Amazon S3 bucket that you specify. These log files contain an audit log of actions taken by users, roles, and AWS services. The integrity and completeness of these log files are crucial for auditing and forensic purposes. In order to help ensure that integrity, you should adhere to the principle of least privilege when creating or modifying access to any Amazon S3 bucket used for storing CloudTrail log files. Take the following steps:
Enable MFA Delete on the Amazon S3 bucket where you store log files Configuring multi-factor authentication (MFA) ensures that any attempt to change the versioning state of your bucket or permanently delete an object version requires additional authentication. This helps prevent any operation that could compromise the integrity of your log files, even if a user acquires the password of an IAM user that has permissions to permanently delete Amazon S3 objects. The following are some steps you can take:
Configure object lifecycle management on the Amazon S3 bucket where you store log files The CloudTrail trail default is to store log files indefinitely in the Amazon S3 bucket configured for the trail. You can use the Amazon S3 object lifecycle management rules to define your own retention policy to better meet your business and auditing needs. For example, you might want to archive log files that are more than a year old to Amazon Glacier, or delete log files after a certain amount of time has passed. Limit access to the AWSCloudTrail_FullAccess policy Users with the AWSCloudTrail_FullAccess policy have the ability to disable or reconfigure the most sensitive and important auditing functions in their AWS accounts. This policy is not intended to be shared or applied broadly to users and roles in your AWS account. Limit application of this policy to as few individuals as possible, those you expect to act as AWS account administrators. How should an application be designed to run in the AWS cloud?According to best practices, how should an application be designed to run in the AWS Cloud?. Use tightly coupled components.. Use loosely coupled components.. Use infrequently coupled components.. Use frequently coupled components.. Which of the below is best practice when building applications on AWS?One of the most important AWS best-practices to follow is the cloud architecture principle of elasticity.
Which AWS service can be used in the application deployment process?AWS CodeDeploy is a fully managed deployment service that automates software deployments to various compute services, such as Amazon Elastic Compute Cloud (EC2), Amazon Elastic Container Service (ECS), AWS Lambda, and your on-premises servers.
Which tool is used to automate actions for AWS services and applications through scripts Amazon?AWS Systems Manager allows you to centralize operational data from multiple AWS services and automate tasks across your AWS resources.
|