AWS awssupport high security documentation change
Summary
Added new 'AWS CloudTrail Logging' security check documentation with alert criteria for missing trails/disabled logging and remediation guidance
Security assessment
The change introduces a new security control check focused on CloudTrail configuration - a critical security monitoring service. The documentation explicitly warns about security risks when trails are missing or logging is disabled (Red alert criteria), which could lead to undetected malicious activity. This directly addresses security visibility and audit capability gaps.
Diff
diff --git a/awssupport/latest/user/security-checks.md b/awssupport/latest/user/security-checks.md index 6c560f03c..7dcd66fae 100644 --- a//awssupport/latest/user/security-checks.md +++ b//awssupport/latest/user/security-checks.md @@ -5 +5 @@ -Application Load Balancer security groupAmazon CloudWatch Log Group Retention PeriodAmazon EC2 instances with Microsoft SQL Server end of supportAmazon EC2 instances with Microsoft Windows Server end of supportAmazon EC2 instances with Ubuntu LTS end of standard supportAmazon EFS clients not using data-in-transit encryptionAmazon EBS Public SnapshotsAmazon RDS Aurora storage encryption is turned offAmazon RDS engine minor version upgrade is requiredAmazon RDS Public SnapshotsAmazon RDS Security Group Access RiskAmazon RDS storage encryption is turned offAmazon Route 53 mismatching CNAME records pointing directly to S3 bucketsAmazon Route 53 MX Resource Record Sets and Sender Policy FrameworkAmazon S3 Bucket PermissionsAmazon VPC Peering Connections with DNS Resolution DisabledApplication Load Balancer Target Groups Encrypted ProtocolAWS Backup Vault Without Resource-based Policy to Prevent Deletion of Recovery PointsAWS CloudTrail Management Event LoggingAWS Lambda Functions Using Deprecated RuntimesAWS Well-Architected high risk issues for securityCloudFront Custom SSL Certificates in the IAM Certificate StoreCloudFront SSL Certificate on the Origin ServerELB Listener SecurityClassic Load Balancer Security GroupsExposed Access KeysIAM Access Key RotationIAM Access Analyzer External AccessIAM Password PolicyIAM SAML 2.0 Identity ProviderMFA on root accountRoot User Access KeySecurity Groups – Specific Ports UnrestrictedSecurity Groups – Unrestricted Access +Application Load Balancer security groupAmazon CloudWatch Log Group Retention PeriodAmazon EC2 instances with Microsoft SQL Server end of supportAmazon EC2 instances with Microsoft Windows Server end of supportAmazon EC2 instances with Ubuntu LTS end of standard supportAmazon EFS clients not using data-in-transit encryptionAmazon EBS Public SnapshotsAmazon RDS Aurora storage encryption is turned offAmazon RDS engine minor version upgrade is requiredAmazon RDS Public SnapshotsAmazon RDS Security Group Access RiskAmazon RDS storage encryption is turned offAmazon Route 53 mismatching CNAME records pointing directly to S3 bucketsAmazon Route 53 MX Resource Record Sets and Sender Policy FrameworkAmazon S3 Bucket PermissionsAmazon VPC Peering Connections with DNS Resolution DisabledApplication Load Balancer Target Groups Encrypted ProtocolAWS Backup Vault Without Resource-based Policy to Prevent Deletion of Recovery PointsAWS CloudTrail LoggingAWS CloudTrail Management Event LoggingAWS Lambda Functions Using Deprecated RuntimesAWS Well-Architected high risk issues for securityCloudFront Custom SSL Certificates in the IAM Certificate StoreCloudFront SSL Certificate on the Origin ServerELB Listener SecurityClassic Load Balancer Security GroupsExposed Access KeysIAM Access Key RotationIAM Access Analyzer External AccessIAM Password PolicyIAM SAML 2.0 Identity ProviderMFA on root accountRoot User Access KeySecurity Groups – Specific Ports UnrestrictedSecurity Groups – Unrestricted Access @@ -54,0 +55,2 @@ You can view all controls in the AWS Foundational Security Best Practices securi + * [AWS CloudTrail Logging](./security-checks.html#aws-cloudtrail-logging) + @@ -1215,0 +1218,67 @@ For more information, see [Set access policies on backup vaults](https://docs.aw +## AWS CloudTrail Logging + +**Description** + + +###### Important + +This check is deprecated in the commercial [AWS Regions](https://docs.aws.amazon.com/https://docs.aws.amazon.com/glossary/latest/reference/glos-chap.html?icmpid=docs_homepage_addtlrcs#region). + +Checks your use of AWS CloudTrail. CloudTrail provides increased visibility into activity in your AWS account by recording information about AWS API calls made on the account. You can use these logs to determine, for example, what actions a particular user has taken during a specified time period, or which users have taken actions on a particular resource during a specified time period. + +Because CloudTrail delivers log files to an Amazon Simple Storage Service (Amazon S3) bucket, CloudTrail must have write permissions for the bucket. If a trail applies to all Regions (the default when creating a new trail), the trail appears multiple times in the Trusted Advisor report. + +**Check ID** + + +`vjafUGJ9H0` + +**Alert Criteria** + + + * Yellow: CloudTrail reports log delivery errors for a trail. + + * Red: A trail has not been created for a Region, or logging is turned off for a trail. + + + + +**Recommended Action** + + +To create a trail and start logging from the console, go to the [AWS CloudTrail console](https://console.aws.amazon.com/cloudtrail/home). + +To start logging, see [Stopping and Starting Logging for a Trail](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/create_trail_using_cli.html#stopstartclil). + +If you receive log delivery errors, check to make sure that the bucket exists and that the necessary policy is attached to the bucket. See [Amazon S3 Bucket Policy](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/create_trail_bucket_policy.html). + +**Additional Resources** + + + * [AWS CloudTrail User Guide](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/) + + * [Supported Regions](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/what_is_cloud_trail_supported_regions.html) + + * [Supported Services](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/what_is_cloud_trail_supported_services.html) + + + + +**Report columns** + + + * Status + + * Region + + * Trail Name + + * Logging Status + + * Bucket Name + + * Last Delivery Date + + + +