Logging Security How-To Guides
Find AWS CloudTrail Trails Not Encrypted with KMS Keys
By default, the log files delivered by CloudTrail to your bucket are encrypted by Amazon server-side encryption with Amazon S3-managed encryption keys (SSE-S3). To provide a security layer that is directly manageable, you can instead use server-side encryption with AWS KMSโmanaged keys (SSE-KMS) for your CloudTrail log files.
Find AWS CloudTrail Trails with Logging Disabled
Sending AWS CloudTrail events to CloudWatch Logs facilitates real-time and historic activity logging based on user, API, resource, and IP address, and makes it possible to establish alarms and notifications for anomalous or sensitive account activity.
Find AWS CloudTrail Trails with No Log Events
Sending AWS CloudTrail events to CloudWatch Logs facilitates real-time and historic activity logging based on user, API, resource, and IP address, and makes it possible to establish alarms and notifications for anomalous or sensitive account activity.
Find AWS CloudTrail Trails with Public S3 Buckets
Allowing public access to CloudTrail log content may aid an adversary in identifying weaknesses in the affected accounts use or configuration.
Find AWS CloudTrail Trails with S3 Bucket Access Logging Disabled
Server access logs can assist you in security and access audits, help you learn about your customer base, and understand your Amazon S3 bill.
Find AWS CloudTrail Trails Without Log File Validation Enabled
Enabling log file validation will provide additional integrity checking of CloudTrail logs.
Find AWS KMS Keys Without Rotation Enabled
Cryptographic best practices discourage extensive reuse of encryption keys. Consequently, AWS KMS keys should be rotated to prevent usage of compromised keys.
Find AWS Regions Not Monitored by CloudTrail
AWS CloudTrail is a web service that records AWS API calls for your account and delivers log files to you. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service.
Find AWS Regions with CloudTrail Object-Level Logging for S3 Read Events Disabled
If logs are not enabled, monitoring of service use and threat analysis is not possible.
Find AWS Regions Where CloudTrail Object-Level Logging for S3 Write Events Is Disabled
If logs are not enabled, monitoring of service use and threat analysis is not possible.
Find AWS Regions Without AWS Config Enabled
The AWS configuration item history captured by AWS Config enables security analysis, resource change tracking and compliance auditing.
Find AWS VPCs Without EC2 Flow Logging Enabled
VPC Flow Logs provide visibility into network traffic that traverses the VPC and can be used to detect anomalous traffic or insight during security workflows.