Summary Prerequisites and limitations Architecture Tools Epics Related resources Attachments

Automatically re-enable AWS CloudTrail by using a custom remediation rule in AWS Config

Created by Manigandan Shri (AWS)

Summary

Visibility over activity in your Amazon Web Services (AWS) account is an important security and operational best practice. AWS CloudTrail helps you with the governance, compliance, and operational and risk auditing of your account.

To ensure that CloudTrail remains enabled in your account, AWS Config provides the cloudtrail-enabled managed rule. If CloudTrail is turned off, the cloudtrail-enabled rule automatically re-enables it by using automatic remediation.

However, you must make sure that you follow security best practices for CloudTrail if you use automatic remediation. These best practices include enabling CloudTrail in all AWS Regions, logging read and write workloads, enabling insights, and encrypting log files with server-side encryption using AWS Key Management Service (AWS KMS) managed keys (SSE-KMS).

This pattern helps you follow these security best practices by providing a custom remediation action to automatically re-enable CloudTrail in your account.

Important

We recommend using service control policies (SCPs) to prevent any tampering with CloudTrail. For more information about this, see the Prevent tampering with AWS CloudTrail section of How to use AWS Organizations to simplify security at enormous scale on the AWS Security Blog.

Prerequisites and limitations

Prerequisites

An active AWS account
Permissions to create an AWS Systems Manager Automation runbook
An existing trail for your account

Limitations

This pattern doesn't support the following actions:

Setting an Amazon Simple Storage Service (Amazon S3) prefix key for the storage location
Publishing to an Amazon Simple Notification Service (Amazon SNS) topic
Configuring Amazon CloudWatch Logs to monitor your CloudTrail logs

Architecture

Workflow to re-enable AWS CloudTrail by using a custom remediation rule in AWS Config

Technology stack

AWS Config
CloudTrail
Systems Manager
Systems Manager Automation

Tools

AWS Config provides a detailed view of the configuration of AWS resources in your account.
AWS CloudTrail helps you enable governance, compliance, and operational and risk auditing of your account.
AWS Key Management Service (AWS KMS) is an encryption and key management service.
AWS Systems Manager helps you view and control your infrastructure on AWS.
AWS Systems Manager Automation simplifies common maintenance and deployment tasks of Amazon Elastic Compute Cloud (Amazon EC2) instances and other AWS resources.
Amazon Simple Storage Service (Amazon S3) is a cloud-based object storage service that helps you store, protect, and retrieve any amount of data.

Code

The cloudtrail-remediation-action.yml file (attached) helps you create a Systems Manager Automation runbook to set up and re-enable CloudTrail using security best practices.

Epics

Task	Description	Skills required
Create an S3 bucket.	Sign in to the AWS Management Console, open the Amazon S3 console, and then create an S3 bucket to store the CloudTrail logs. For more information, see Create an S3 bucket in the Amazon S3 documentation.	Systems administrator
Add a bucket policy to allow CloudTrail to deliver log files to the S3 bucket.	CloudTrail must have the required permissions to deliver log files to your S3 bucket. On the Amazon S3 console, choose the S3 bucket that you created earlier and then choose Permissions. Create an S3 bucket policy by using the Amazon S3 bucket policy for CloudTrail from the CloudTrail documentation. For steps on how to add a policy to an S3 bucket, see Adding a bucket policy using the Amazon S3 console in the Amazon S3 documentation. Important If you specified a prefix when you created your trail in CloudTrail, make sure that you include it in the S3 bucket policy. The prefix is an optional addition to the S3 object key that creates a folder-like organization in your S3 bucket. For more information about this, see Creating a trail in the CloudTrail documentation.	Systems administrator
Create a KMS key.	Create an AWS KMS key for CloudTrail to encrypt objects before adding them to the S3 bucket. For help with this story, see Encrypting CloudTrail log files with AWS KMS managed keys (SSE-KMS) in the CloudTrail documentation.	Systems administrator
Add a key policy to the KMS key.	Attach a KMS key policy to allow CloudTrail to use the KMS key. For help with this story, see Encrypting CloudTrail log files with AWS KMS–managed keys (SSE-KMS) in the CloudTrail documentation. Important CloudTrail doesn’t require `Decrypt` permissions.	Systems administrator
Create AssumeRole for Systems Manager runbook	Create an `AssumeRole` for Systems Manager Automation to run the runbook. For instructions and more information about this, see Setting up automation in the Systems Manager documentation.	Systems administrator

Task	Description	Skills required
Create the Systems Manager Automation runbook.	Use the `cloudtrail-remediation-action.yml` file (attached) to create the Systems Manager Automation runbook. For more information about this, see Creating Systems Manager documents in the Systems Manager documentation.	Systems administrator
Test the runbook.	On the Systems Manager console, test the Systems Manager Automation runbook that you created earlier. For more information about this, see Running a simple automation in the Systems Manager documentation.	Systems administrator

Task Description Skills required

Task	Description	Skills required
Add the CloudTrail-enabled rule.	On the AWS Config console, choose Rules and then choose Add rule. On the Add rule page, choose Add custom rule. On the Configure rule page, enter a name and description, and add the `cloudtrail-enabled` rule. For more information, see Managing your AWS Config rules in the AWS Config documentation.	Systems administrator
Add the automatic remediation action.	From the Actions dropdown list, choose Manage remediation. Choose Auto remediation and then choose the Systems Manager runbook that you created earlier. The following are the required input parameters for CloudTrail: `CloudTrailName` `CloudTrailS3BucketName` `CloudTrailKmsKeyId` `AssumeRole` (optional) The following input parameters are set to true by default: `IsMultiRegionTrail` `IsOrganizationTrail` `IncludeGlobalServiceEvents` `EnableLogFileValidation` Retain the default values for the Rate Limits parameter and Resource ID parameter. Choose Save. For more information, see Remediating noncompliant AWS resources with AWS Config rules in the AWS Config documentation.	Systems administrator
Test the automatic remediation rule.	To test the automatic remediation rule, open the CloudTrail console, choose Trails, and then choose the trail. Choose Stop logging to turn off logging for the trail. When you are prompted to confirm, choose Stop logging. CloudTrail stops logging activity for that trail. Follow the instructions from Evaluating your resources in the AWS Config documentation to make sure that CloudTrail was automatically re-enabled.	Systems administrator

Add the CloudTrail-enabled rule.

On the AWS Config console, choose Rules and then choose Add rule. On the Add rule page, choose Add custom rule. On the Configure rule page, enter a name and description, and add the cloudtrail-enabled rule. For more information, see Managing your AWS Config rules in the AWS Config documentation.

Systems administrator

Add the automatic remediation action.

From the Actions dropdown list, choose Manage remediation. Choose Auto remediation and then choose the Systems Manager runbook that you created earlier.

The following are the required input parameters for CloudTrail:

CloudTrailName
CloudTrailS3BucketName
CloudTrailKmsKeyId
AssumeRole (optional)

The following input parameters are set to true by default:

IsMultiRegionTrail
IsOrganizationTrail
IncludeGlobalServiceEvents
EnableLogFileValidation

Retain the default values for the Rate Limits parameter and Resource ID parameter. Choose Save.

For more information, see Remediating noncompliant AWS resources with AWS Config rules in the AWS Config documentation.

Systems administrator

Test the automatic remediation rule.

To test the automatic remediation rule, open the CloudTrail console, choose Trails, and then choose the trail. Choose Stop logging to turn off logging for the trail. When you are prompted to confirm, choose Stop logging. CloudTrail stops logging activity for that trail.

Follow the instructions from Evaluating your resources in the AWS Config documentation to make sure that CloudTrail was automatically re-enabled.

Systems administrator

Related resources

Configure CloudTrail

Create and test the Systems Manager Automation runbook

Set up the automatic remediation rule in AWS Config

Additional resources

Attachments

To access additional content that is associated with this document, unzip the following file: attachment.zip

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Automatically audit access from public IP addresses

Automatically remediate unencrypted Amazon RDS DB instances and clusters