8 AWS CloudTrail Best Practices for Governance, Compliance, and Auditing

By on Jul 21, 2017

The recent AWS data leaks from the Verizon (via Nice Systems), the RNC (via Deep Root Analytics), and Dow Jones have once again highlighted the lack of awareness organizations have displayed around the shared responsibility model for security that AWS operates under. Nobody can reasonably question Amazon’s commitment to the security of its IaaS, as evidenced by the myriad of services (CloudTrail, IAM, encryption, etc.) it has made available to its customers to bolster the security of AWS.

More often, data leaks and security incidents are rooted in carelessness on the customer’s part in misusing AWS or underutilizing the security features it provides. Despite the fact that enterprise-grade cloud services such as AWS are built to be highly resistant to breaches and attacks, the trend where a customer is at fault for a security incident will only get worse, according to Gartner.

Through 2020, 95 percent of cloud security failures will be the customer’s fault.


Organizations looking to shore up the security posture of their AWS infrastructure must first gain complete visibility into user activity in AWS and any changes that are made to AWS services, settings, and configurations. To that end, AWS provides its customers with CloudTrail, one of the most critical security services in AWS.

What is AWS CloudTrail?

CloudTrail is a service offered by AWS that captures a log of all API calls for an AWS account and its services. CloudTrail enables continuous monitoring and post-incident forensic investigations of AWS by providing an audit trail of all activities across an AWS infrastructure. All CloudTrail logs files get stored in a dedicated S3 bucket.

Benefits of AWS CloudTrail

Activity monitoring – CloudTrail provides the raw data that could be used, in conjunction with a CASB, to monitor user and resource activity, detect insecure or inappropriate changes to services or resources, and automate the remediation of security misconfigurations.

Streamlined compliance – CloudTrail streamlines an organization’s compliance requirements by automating the capture and storage of logs of activities and actions taken in an AWS account. This can enable identification of events that may be out of compliance with internal policies or external regulations.

Security auditing – CloudTrail helps discover changes made to an AWS account that have the potential of putting the data or the account at heightened security risk while expediting AWS audit request fulfillment.

AWS CloudTrail best practices for security and compliance

Although AWS provides CloudTrail to its customers as part of its security offering, cloud security’s shared responsibility model requires AWS customers to ensure that they are using CloudTrail to its fullest potential in order to minimize their security risk. To that end, below are 8 CloudTrail best practices that all AWS customers should be following.

1) Ensure CloudTrail is enabled across all AWS globally

This is the first step needed to take advantage of CloudTrail. By enabling global CloudTrail logging, it will be able to generate logs for all AWS services including those that are not region specific, such as IAM, CloudFront, etc.

2) Turn on CloudTrail log file validation

When log file validation is turned on, any changes made to the log file itself after it has been delivered to the S3 bucket will be identifiable. This functionality provides an additional layer of protection and ensures the integrity of the log files.

3) Enable CloudTrail multi-region logging

The AWS API call history provided by CloudTrail allows security analysts to track resource changes, audit compliance, investigate incidents, and ensure security best practices are followed. By having CloudTrail enabled in all regions, organizations will be able to detect unexpected activity in otherwise unused regions.

4) Integrate CloudTrail with CloudWatch

CloudWatch can be used to monitor, store, and access log files from EC2 instances, CloudTrail, and other sources. With this integration, real-time and historic activity logging based on user, API, resource, and IP address is facilitated. It also supports setting up alarms and notifications for anomalous or inappropriate account activity.

5) Enable access logging for CloudTrail S3 buckets

CloudTrail S3 buckets contain the log data that is captured by CloudTrail, supporting activity monitoring and forensic investigations. By enabling access logging for CloudTrail S3 buckets, customers can track access requests and identify potentially unauthorized or unwarranted access attempts.

6) Require multi-factor authentication (MFA) to delete CloudTrail buckets

Once an AWS account has been compromised, one of the first steps the hacker will likely take is delete CloudTrail logs to cover his tracks and delay detection. By requiring multi-factor authentication to delete an S3 bucket containing CloudTrail logs, the hacker will find it more difficult to remove the logs and remain hidden.

7) Restrict access to CloudTrail S3 bucket

Unrestricted access to CloudTrail logs should never be enabled for any user or administrator account. While most AWS users and admins will not have any malicious intent to cause harm, they are still susceptible to phishing attacks that could expose their account credentials and lead to an account compromise. Restricting access to CloudTrail logs will decrease the risk of unauthorized and unfettered access to the logs.

8) Encrypt CloudTrail log files at rest

In order to decrypt encrypted CloudTrail log files, a user must have decryption permission by the customer created key (CMK) policy along with permission to access the S3 buckets containing the logs. This means only users whose jobs require it should have both decryption permission and access permission to S3 buckets containing CloudTrail logs.

Definitive Guide to Securing Workloads on AWS


Download to learn about the AWS adoption trends, security challenges and best practices around AWS and applications deployed in AWS.

Download Now

How CASBs Secure AWS

While Amazon offers a host of built-in security capabilities, giving enterprises the ability to enforce a wide range of security, compliance, and governance policies, AWS settings can be very deep.

In sprawling AWS environments, it can be prohibitive from a resource standpoint to manually check security configurations and user permissions for potential risks, and next to impossible to sift through the events provided by AWS CloudTrail to uncover potential threats.

cloud access security broker (CASB) helps automate the process of securing AWS—both the AWS platform and services as well as the custom applications you deploy in AWS. On the infrastructure side, a mature CASB can provide comprehensive threat protection, monitoring, auditing, and remediation to secure all your AWS accounts. What follows are some of the things a CASB enables you to do:

1) Analyze and audit AWS security configuration to ensure compliance and lower risk

While Amazon has provided a set of configurable controls to help protect an AWS account, it is entirely up to the customer to ensure these settings are configured appropriately, and any misconfiguration or change in configuration is identified and remediated in real-time. To that end, CASBs provide enterprises with the necessary security auditing that can automatically flag any security misconfiguration across all AWS accounts, including:

  • CloudTrail not enabled
  • Unrestricted access to CloudTrail S3 bucket
  • Unrestricted access to S3 buckets containing sensitive information
  • Multifactor authentication not required to delete a CloudTrail S3 bucket
  • Access logging not enabled for CloudTrail S3 bucket

2) Perform forensic investigations with a complete audit trail of user activity

CASBs provide complete and granular visibility into how users are using AWS, including root, IAM, and federated users. Using a CASB, an enterprise can readily detect (in real-time) creation, modification, or removal of AWS resources by any user.

Security analysts can view the entire audit trail and filter by activity type, user, geography, and other dimensions. In doing so, a CASB can dramatically accelerate post-incident investigations and decrease incidence response time.

3) Detect compromised accounts, insider threats, and privileged access misuse across AWS

CASBs combine machine learning and user and entity behavior analytics (UEBA) to analyze cloud activity across multiple heuristics. This allows a CASB to develop a model for typical user behavior and detect anomalous activity patterns across AWS accounts and other cloud services that may be indicative of a threat.

For example, if a user generally logs into AWS from Austin, Texas, and one day they log in from Beijing, China in a time frame so short it would be impossible to travel, a CASB can highlight this event and flag it for further investigation.

CASBs can detect compromised accounts based on excessive failed login attempts, brute-force attacks, login attempts from untrusted or disparate locations, etc. CASBs also detect potential insider or privileged user threats by monitoring inappropriate escalation of privileges or repeated authorization failures. Machine learning makes it possible to detect these threats without configuring any rules or policies

About the Author


We're here to make life online safe and enjoyable for everyone.

Read more posts from McAfee

Categories: McAfee Enterprise

Subscribe to McAfee Securing Tomorrow Blogs