CloudTrail is an AWS service that generates log files of all API calls made within AWS, including the AWS management console, SDKs, command line tools, etc. This capability allows SM8 to continuously monitor activities in AWS for compliance auditing and post-incident forensic investigations.
The generated log files are stored in an S3 bucket. If a cyber attacker gains access to an AWS account, one of the first things they’ll do is disable CloudTrail and delete the log files. To get the full benefit of CloudTrail;
- Enable CloudTrail across all geographic regions and AWS services to prevent activity monitoring gaps.
- Turn on CloudTrail log file validation so that any changes made to the log file itself after it has been delivered to the S3 bucket is trackable to ensure log file integrity.
- Enable access logging for CloudTrail S3 bucket so that you can track access requests and identify potentially unauthorized or unwarranted access attempts.
- Turn on multifactor authentication (MFA) to delete CloudTrail S3 buckets and encrypt all CloudTrail log files in flight and at rest.
