Protecting CloudTrail Logs
CloudTrail Logs in S3 Buckets
AWS CloudTrail is an important service that provides logging and monitoring functionality to track all account activity and API usage. CloudTrail continuously records API calls to AWS services across your AWS environment, then delivers a log file to your S3 bucket. This means that the S3 bucket now has sensitive log information, so you need to take every precaution to protect that bucket and the integrity of the logs.
To maximize the value of CloudTrail in your AWS environment, we recommend following these best practices:
- Enable CloudTrail in all Regions to increase accuracy.
- Enable log file integrity validation, which uses SHA-256.
- Store logs in a specific and protected S3 bucket.
- Enable MFA delete so users have to authenticate in two ways before they can delete an objection version of change the versioning state of your bucket.
To learn more best practices, visit the AWS documentation on security in AWS CloudTrail.
CloudTrail is a tool you should be using to track all API calls in your environment. There are some best practices that go along with using this tool. First, you'll need to make sure that it's enabled in all Regions. By default, it will only be enabled in the Region in which you set it up. Second, you'll want to enable validation, which protects your log files using SHA-256. Third, the logs need to go into a dedicated S3 bucket that is protected using best practices. And lastly, you'll want to enable the “MFA delete” feature. This makes sure that any user that tries to delete a bucket will have to authenticate again first so that they can't delete anything by accident.