AWS awssupport documentation change
Summary
Removed AWS CloudTrail Logging check documentation and references
Security assessment
Removal of CloudTrail logging documentation reduces visibility into API activity monitoring guidance, but there's no evidence this addresses an active security vulnerability. The change appears to be a content reorganization rather than a security fix.
Diff
diff --git a/awssupport/latest/user/security-checks.md b/awssupport/latest/user/security-checks.md index bf9b05b85..6c560f03c 100644 --- a//awssupport/latest/user/security-checks.md +++ b//awssupport/latest/user/security-checks.md @@ -5 +5 @@ -Application Load Balancer security groupAmazon CloudWatch Log Group Retention PeriodAmazon EC2 instances with Microsoft SQL Server end of supportAmazon EC2 instances with Microsoft Windows Server end of supportAmazon EC2 instances with Ubuntu LTS end of standard supportAmazon EFS clients not using data-in-transit encryptionAmazon EBS Public SnapshotsAmazon RDS Aurora storage encryption is turned offAmazon RDS engine minor version upgrade is requiredAmazon RDS Public SnapshotsAmazon RDS Security Group Access RiskAmazon RDS storage encryption is turned offAmazon Route 53 mismatching CNAME records pointing directly to S3 bucketsAmazon Route 53 MX Resource Record Sets and Sender Policy FrameworkAmazon S3 Bucket PermissionsAmazon VPC Peering Connections with DNS Resolution DisabledApplication Load Balancer Target Groups Encrypted ProtocolAWS Backup Vault Without Resource-based Policy to Prevent Deletion of Recovery PointsAWS CloudTrail LoggingAWS CloudTrail Management Event LoggingAWS Lambda Functions Using Deprecated RuntimesAWS Well-Architected high risk issues for securityCloudFront Custom SSL Certificates in the IAM Certificate StoreCloudFront SSL Certificate on the Origin ServerELB Listener SecurityClassic Load Balancer Security GroupsExposed Access KeysIAM Access Key RotationIAM Access Analyzer External AccessIAM Password PolicyIAM SAML 2.0 Identity ProviderMFA on root accountRoot User Access KeySecurity Groups – Specific Ports UnrestrictedSecurity Groups – Unrestricted Access +Application Load Balancer security groupAmazon CloudWatch Log Group Retention PeriodAmazon EC2 instances with Microsoft SQL Server end of supportAmazon EC2 instances with Microsoft Windows Server end of supportAmazon EC2 instances with Ubuntu LTS end of standard supportAmazon EFS clients not using data-in-transit encryptionAmazon EBS Public SnapshotsAmazon RDS Aurora storage encryption is turned offAmazon RDS engine minor version upgrade is requiredAmazon RDS Public SnapshotsAmazon RDS Security Group Access RiskAmazon RDS storage encryption is turned offAmazon Route 53 mismatching CNAME records pointing directly to S3 bucketsAmazon Route 53 MX Resource Record Sets and Sender Policy FrameworkAmazon S3 Bucket PermissionsAmazon VPC Peering Connections with DNS Resolution DisabledApplication Load Balancer Target Groups Encrypted ProtocolAWS Backup Vault Without Resource-based Policy to Prevent Deletion of Recovery PointsAWS CloudTrail Management Event LoggingAWS Lambda Functions Using Deprecated RuntimesAWS Well-Architected high risk issues for securityCloudFront Custom SSL Certificates in the IAM Certificate StoreCloudFront SSL Certificate on the Origin ServerELB Listener SecurityClassic Load Balancer Security GroupsExposed Access KeysIAM Access Key RotationIAM Access Analyzer External AccessIAM Password PolicyIAM SAML 2.0 Identity ProviderMFA on root accountRoot User Access KeySecurity Groups – Specific Ports UnrestrictedSecurity Groups – Unrestricted Access @@ -55,2 +54,0 @@ You can view all controls in the AWS Foundational Security Best Practices securi - * [AWS CloudTrail Logging](./security-checks.html#aws-cloudtrail-logging) - @@ -1218,63 +1215,0 @@ For more information, see [Set access policies on backup vaults](https://docs.aw -## AWS CloudTrail Logging - -**Description** - - -Checks your use of AWS CloudTrail. CloudTrail provides increased visibility into activity in your AWS account by recording information about AWS API calls made on the account. You can use these logs to determine, for example, what actions a particular user has taken during a specified time period, or which users have taken actions on a particular resource during a specified time period. - -Because CloudTrail delivers log files to an Amazon Simple Storage Service (Amazon S3) bucket, CloudTrail must have write permissions for the bucket. If a trail applies to all Regions (the default when creating a new trail), the trail appears multiple times in the Trusted Advisor report. - -**Check ID** - - -`vjafUGJ9H0` - -**Alert Criteria** - - - * Yellow: CloudTrail reports log delivery errors for a trail. - - * Red: A trail has not been created for a Region, or logging is turned off for a trail. - - - - -**Recommended Action** - - -To create a trail and start logging from the console, go to the [AWS CloudTrail console](https://console.aws.amazon.com/cloudtrail/home). - -To start logging, see [Stopping and Starting Logging for a Trail](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/create_trail_using_cli.html#stopstartclil). - -If you receive log delivery errors, check to make sure that the bucket exists and that the necessary policy is attached to the bucket. See [Amazon S3 Bucket Policy](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/create_trail_bucket_policy.html). - -**Additional Resources** - - - * [AWS CloudTrail User Guide](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/) - - * [Supported Regions](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/what_is_cloud_trail_supported_regions.html) - - * [Supported Services](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/what_is_cloud_trail_supported_services.html) - - - - -**Report columns** - - - * Status - - * Region - - * Trail Name - - * Logging Status - - * Bucket Name - - * Last Delivery Date - - - -