# Security Hub CSPM controls for Amazon CloudTrail
These Amazon Security Hub CSPM controls evaluate the Amazon CloudTrail service and resources. The controls might not be available in all Amazon Web Services Regions. For more information, see [Availability of controls by Region](securityhub-regions.md#securityhub-regions-control-support).
## [CloudTrail.1] CloudTrail should be enabled and configured with at least one multi-Region trail that includes read and write management events
**Related requirements:** CIS Amazon Foundations Benchmark v5.0.0/3.1, CIS Amazon Foundations Benchmark v1.2.0/2.1, CIS Amazon Foundations Benchmark v1.4.0/3.1, CIS Amazon Foundations Benchmark v3.0.0/3.1, NIST.800-53.r5 AC-2(4), NIST.800-53.r5 AC-4(26), NIST.800-53.r5 AC-6(9), NIST.800-53.r5 AU-10, NIST.800-53.r5 AU-12, NIST.800-53.r5 AU-2, NIST.800-53.r5 AU-3, NIST.800-53.r5 AU-6(3), NIST.800-53.r5 AU-6(4), NIST.800-53.r5 AU-14(1), NIST.800-53.r5 CA-7, NIST.800-53.r5 SC-7(9), NIST.800-53.r5 SI-3(8), NIST.800-53.r5 SI-4(20), NIST.800-53.r5 SI-7(8), NIST.800-53.r5 SA-8(22)
**Category:** Identify > Logging
**Severity:** High
**Resource type:** `AWS::::Account`
**Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/multi-region-cloudtrail-enabled.html](https://docs.amazonaws.cn/config/latest/developerguide/multi-region-cloudtrail-enabled.html)
**Schedule type:** Periodic
**Parameters:**
+ `readWriteType`: `ALL` (not customizable)
`includeManagementEvents`: `true` (not customizable)
This control checks whether there is at least one multi-Region Amazon CloudTrail trail that captures read and write management events. The control fails if CloudTrail is disabled or if there isn't at least one CloudTrail trail that captures read and write management events.
Amazon CloudTrail records Amazon API calls for your account and delivers log files to you. The recorded information includes the following information:
+ Identity of the API caller
+ Time of the API call
+ Source IP address of the API caller
+ Request parameters
+ Response elements returned by the Amazon Web Services service
CloudTrail provides a history of Amazon API calls for an account, including API calls made from the Amazon Web Services Management Console, Amazon SDKs, command line tools. The history also includes API calls from higher-level Amazon Web Services services such as Amazon CloudFormation.
The Amazon API call history produced by CloudTrail enables security analysis, resource change tracking, and compliance auditing. Multi-Region trails also provide the following benefits.
+ A multi-Region trail helps to detect unexpected activity occurring in otherwise unused Regions.
+ A multi-Region trail ensures that global service event logging is enabled for a trail by default. Global service event logging records events generated by Amazon global services.
+ For a multi-Region trail, management events for all read and write operations ensure that CloudTrail records management operations on all resources in an Amazon Web Services account.
By default, CloudTrail trails that are created using the Amazon Web Services Management Console are multi-Region trails.
### Remediation
To create a new multi-Region trail in CloudTrail, see [Creating a trail](https://docs.amazonaws.cn/awscloudtrail/latest/userguide/cloudtrail-create-a-trail-using-the-console-first-time.html) in the *Amazon CloudTrail User Guide*. Use the following values:
| Field | Value |
| --- | --- |
| Additional settings, Log file validation | Enabled |
| Choose log events, Management events, API activity | **Read** and **Write**. Clear check boxes for exclusions. |
To update an existing trail, see [Updating a trail](https://docs.amazonaws.cn/awscloudtrail/latest/userguide/cloudtrail-update-a-trail-console.html) in the *Amazon CloudTrail User Guide*. In **Management events**, for **API activity**, choose **Read** and **Write**.
## [CloudTrail.2] CloudTrail should have encryption at-rest enabled
**Related requirements:** CIS Amazon Foundations Benchmark v5.0.0/3.5, CIS Amazon Foundations Benchmark v1.2.0/2.7, CIS Amazon Foundations Benchmark v1.4.0/3.7, CIS Amazon Foundations Benchmark v3.0.0/3.5, NIST.800-53.r5 AU-9, NIST.800-53.r5 CA-9(1), NIST.800-53.r5 CM-3(6), NIST.800-53.r5 SC-13, NIST.800-53.r5 SC-28, NIST.800-53.r5 SC-28(1), NIST.800-53.r5 SC-7(10), NIST.800-53.r5 SI-7(6), NIST.800-171.r2 3.3.8, PCI DSS v3.2.1/3.4, PCI DSS v4.0.1/10.3.2
**Category:** Protect > Data Protection > Encryption of data-at-rest
**Severity:** Medium
**Resource type:** `AWS::CloudTrail::Trail`
**Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/cloud-trail-encryption-enabled.html](https://docs.amazonaws.cn/config/latest/developerguide/cloud-trail-encryption-enabled.html)
**Schedule type:** Periodic
**Parameters:** None
This control checks whether CloudTrail is configured to use the server-side encryption (SSE) Amazon KMS key encryption. The control fails if the `KmsKeyId` isn't defined.
For an added layer of security for your sensitive CloudTrail log files, you should use [server-side encryption with Amazon KMS keys (SSE-KMS)](https://docs.amazonaws.cn/AmazonS3/latest/dev/UsingKMSEncryption.html) for your CloudTrail log files for encryption at rest. Note that by default, the log files delivered by CloudTrail to your buckets are encrypted by [Amazon server-side encryption with Amazon S3-managed encryption keys (SSE-S3)](https://docs.amazonaws.cn/AmazonS3/latest/dev/UsingServerSideEncryption.html).
### Remediation
To enable SSE-KMS encryption for CloudTrail log files, see [Update a trail to use a KMS key](https://docs.amazonaws.cn/awscloudtrail/latest/userguide/create-kms-key-policy-for-cloudtrail-update-trail.html#kms-key-policy-update-trail) in the *Amazon CloudTrail User Guide*.
## [CloudTrail.3] At least one CloudTrail trail should be enabled
**Related requirements:** NIST.800-171.r2 3.3.1, NIST.800-171.r2 3.14.6, NIST.800-171.r2 3.14.7, PCI DSS v3.2.1/10.1, PCI DSS v3.2.1/10.2.1, PCI DSS v3.2.1/10.2.2, PCI DSS v3.2.1/10.2.3, PCI DSS v3.2.1/10.2.4, PCI DSS v3.2.1/10.2.5, PCI DSS v3.2.1/10.2.6, PCI DSS v3.2.1/10.2.7, PCI DSS v3.2.1/10.3.1, PCI DSS v3.2.1/10.3.2, PCI DSS v3.2.1/10.3.3, PCI DSS v3.2.1/10.3.4, PCI DSS v3.2.1/10.3.5, PCI DSS v3.2.1/10.3.6, PCI DSS v4.0.1/10.2.1
**Category:** Identify > Logging
**Severity:** High
**Resource type:** `AWS::::Account`
**Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/cloudtrail-enabled.html](https://docs.amazonaws.cn/config/latest/developerguide/cloudtrail-enabled.html)
**Schedule type:** Periodic
**Parameters:** None
This control checks whether an Amazon CloudTrail trail is enabled in your Amazon Web Services account. The control fails if your account doesn't have at least one CloudTrail trail enabled.
However, some Amazon services do not enable logging of all APIs and events. You should implement any additional audit trails other than CloudTrail and review the documentation for each service in [CloudTrail Supported Services and Integrations](https://docs.amazonaws.cn/awscloudtrail/latest/userguide/cloudtrail-aws-service-specific-topics.html).
### Remediation
To get started with CloudTrail and create a trail, see the [Getting started with Amazon CloudTrail tutorial](https://docs.amazonaws.cn/awscloudtrail/latest/userguide/cloudtrail-tutorial.html) in the *Amazon CloudTrail User Guide*.
## [CloudTrail.4] CloudTrail log file validation should be enabled
**Related requirements:** CIS Amazon Foundations Benchmark v5.0.0/3.2, CIS Amazon Foundations Benchmark v1.2.0/2.2, CIS Amazon Foundations Benchmark v1.4.0/3.2, CIS Amazon Foundations Benchmark v3.0.0/3.2, NIST.800-53.r5 AU-9, NIST.800-53.r5 SI-4, NIST.800-53.r5 SI-7(1), NIST.800-53.r5 SI-7(3), NIST.800-53.r5 SI-7(7), NIST.800-171.r2 3.3.8, PCI DSS v3.2.1/10.5.2, PCI DSS v3.2.1/10.5.5, PCI DSS v4.0.1/10.3.2
**Category:** Data protection > Data integrity
**Severity:** Low
**Resource type:** `AWS::CloudTrail::Trail`
**Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/cloud-trail-log-file-validation-enabled.html](https://docs.amazonaws.cn/config/latest/developerguide/cloud-trail-log-file-validation-enabled.html)
**Schedule type:** Periodic
**Parameters:** None
This control checks whether log file integrity validation is enabled on a CloudTrail trail.
CloudTrail log file validation creates a digitally signed digest file that contains a hash of each log that CloudTrail writes to Amazon S3. You can use these digest files to determine whether a log file was changed, deleted, or unchanged after CloudTrail delivered the log.
Security Hub CSPM recommends that you enable file validation on all trails. Log file validation provides additional integrity checks of CloudTrail logs.
### Remediation
To enable CloudTrail log file validation, see [Enabling log file integrity validation for CloudTrail](https://docs.amazonaws.cn/awscloudtrail/latest/userguide/cloudtrail-log-file-validation-enabling.html) in the *Amazon CloudTrail User Guide*.
## [CloudTrail.5] CloudTrail trails should be integrated with Amazon CloudWatch Logs
**Related requirements:** CIS Amazon Foundations Benchmark v5.0.0/3.4, PCI DSS v3.2.1/10.5.3, CIS Amazon Foundations Benchmark v1.2.0/2.4, CIS Amazon Foundations Benchmark v1.4.0/3.4, NIST.800-53.r5 AC-2(4), NIST.800-53.r5 AC-4(26), NIST.800-53.r5 AC-6(9), NIST.800-53.r5 AU-10, NIST.800-53.r5 AU-12, NIST.800-53.r5 AU-2, NIST.800-53.r5 AU-3, NIST.800-53.r5 AU-6(1), NIST.800-53.r5 AU-6(3), NIST.800-53.r5 AU-6(4), NIST.800-53.r5 AU-6(5), NIST.800-53.r5 AU-7(1), NIST.800-53.r5 CA-7, NIST.800-53.r5 SC-7(9), NIST.800-53.r5 SI-20, NIST.800-53.r5 SI-3(8), NIST.800-53.r5 SI-4(20), NIST.800-53.r5 SI-4(5), NIST.800-53.r5 SI-7(8)
**Category:** Identify > Logging
**Severity:** Medium
**Resource type:** `AWS::CloudTrail::Trail`
**Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/cloud-trail-cloud-watch-logs-enabled.html](https://docs.amazonaws.cn/config/latest/developerguide/cloud-trail-cloud-watch-logs-enabled.html)
**Schedule type:** Periodic
**Parameters:** None
This control checks whether CloudTrail trails are configured to send logs to CloudWatch Logs. The control fails if the `CloudWatchLogsLogGroupArn` property of the trail is empty.
CloudTrail records Amazon API calls that are made in a given account. The recorded information includes the following:
+ The identity of the API caller
+ The time of the API call
+ The source IP address of the API caller
+ The request parameters
+ The response elements returned by the Amazon Web Services service
CloudTrail uses Amazon S3 for log file storage and delivery. You can capture CloudTrail logs in a specified S3 bucket for long-term analysis. To perform real-time analysis, you can configure CloudTrail to send logs to CloudWatch Logs.
For a trail that is enabled in all Regions in an account, CloudTrail sends log files from all of those Regions to a CloudWatch Logs log group.
Security Hub CSPM recommends that you send CloudTrail logs to CloudWatch Logs. Note that this recommendation is intended to ensure that account activity is captured, monitored, and appropriately alarmed on. You can use CloudWatch Logs to set this up with your Amazon Web Services services. This recommendation does not preclude the use of a different solution.
Sending CloudTrail logs to CloudWatch Logs facilitates real-time and historic activity logging based on user, API, resource, and IP address. You can use this approach to establish alarms and notifications for anomalous or sensitivity account activity.
### Remediation
To integrate CloudTrail with CloudWatch Logs, see [Sending events to CloudWatch Logs](https://docs.amazonaws.cn/awscloudtrail/latest/userguide/send-cloudtrail-events-to-cloudwatch-logs.html) in the *Amazon CloudTrail User Guide*.
## [CloudTrail.6] Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible
**Related requirements:** CIS Amazon Foundations Benchmark v1.2.0/2.3, CIS Amazon Foundations Benchmark v1.4.0/3.3, PCI DSS v4.0.1/1.4.4
**Category:** Identify > Logging
**Severity:** Critical
**Resource type:** `AWS::S3::Bucket`
**Amazon Config rule:** None (custom Security Hub CSPM rule)
**Schedule type:** Periodic and change triggered
**Parameters:** None
CloudTrail logs a record of every API call made in your account. These log files are stored in an S3 bucket. CIS recommends that the S3 bucket policy, or access control list (ACL), applied to the S3 bucket that CloudTrail logs to prevents public access to the CloudTrail logs. Allowing public access to CloudTrail log content might aid an adversary in identifying weaknesses in the affected account's use or configuration.
To run this check, Security Hub CSPM first uses custom logic to look for the S3 bucket where your CloudTrail logs are stored. It then uses the Amazon Config managed rules to check that bucket is publicly accessible.
If you aggregate your logs into a single centralized S3 bucket, then Security Hub CSPM only runs the check against the account and Region where the centralized S3 bucket is located. For other accounts and Regions, the control status is **No data**.
If the bucket is publicly accessible, the check generates a failed finding.
### Remediation
To block public access to your CloudTrail S3 bucket, see [Configuring block public access settings for your S3 buckets](https://docs.amazonaws.cn/AmazonS3/latest/userguide/configuring-block-public-access-bucket.html) in the *Amazon Simple Storage Service User Guide*. Select all four Amazon S3 Block Public Access Settings.
## [CloudTrail.7] Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket
**Related requirements:** CIS Amazon Foundations Benchmark v1.2.0/2.6, CIS Amazon Foundations Benchmark v1.4.0/3.6, CIS Amazon Foundations Benchmark v3.0.0/3.4, PCI DSS v4.0.1/10.2.1
**Category:** Identify > Logging
**Severity:** Low
**Resource type:** `AWS::S3::Bucket`
**Amazon Config rule:** None (custom Security Hub CSPM rule)
**Schedule type:** Periodic
**Parameters:** None
S3 bucket access logging generates a log that contains access records for each request made to your S3 bucket. An access log record contains details about the request, such as the request type, the resources specified in the request worked, and the time and date the request was processed.
CIS recommends that you enable bucket access logging on the CloudTrail S3 bucket.
By enabling S3 bucket logging on target S3 buckets, you can capture all events that might affect objects in a target bucket. Configuring logs to be placed in a separate bucket enables access to log information, which can be useful in security and incident response workflows.
To run this check, Security Hub CSPM first uses custom logic to look for the bucket where your CloudTrail logs are stored and then uses the Amazon Config managed rule to check if logging is enabled.
If CloudTrail delivers log files from multiple Amazon Web Services accounts into a single destination Amazon S3 bucket, Security Hub CSPM evaluates this control only against the destination bucket in the Region where it's located. This streamlines your findings. However, you should turn on CloudTrail in all accounts that deliver logs to the destination bucket. For all accounts except the one that holds the destination bucket, the control status is **No data**.
### Remediation
To enable server access logging for your CloudTrail S3 bucket, see [Enabling Amazon S3 server access logging](https://docs.amazonaws.cn/AmazonS3/latest/userguide/enable-server-access-logging.html#enable-server-logging) in the *Amazon Simple Storage Service User Guide*.
## [CloudTrail.9] CloudTrail trails should be tagged
**Category:** Identify > Inventory > Tagging
**Severity:** Low
**Resource type:** `AWS::CloudTrail::Trail`
**Amazon Config rule:** `tagged-cloudtrail-trail` (custom Security Hub CSPM rule)
**Schedule type:** Change triggered
**Parameters:**
| Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value |
| --- | --- | --- | --- | --- |
| requiredTagKeys | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [Amazon requirements](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value |
This control checks whether an Amazon CloudTrail trail has tags with the specific keys defined in the parameter `requiredTagKeys`. The control fails if the trail doesn’t have any tag keys or if it doesn’t have all the keys specified in the parameter `requiredTagKeys`. If the parameter `requiredTagKeys` isn't provided, the control only checks for the existence of a tag key and fails if the trail isn't tagged with any key. System tags, which are automatically applied and begin with `aws:`, are ignored.
A tag is a label that you assign to an Amazon resource, and it consists of a key and an optional value. You can create tags to categorize resources by purpose, owner, environment, or other criteria. Tags can help you identify, organize, search for, and filter resources. Tagging also helps you track accountable resource owners for actions and notifications. When you use tagging, you can implement attribute-based access control (ABAC) as an authorization strategy, which defines permissions based on tags. You can attach tags to IAM entities (users or roles) and to Amazon resources. You can create a single ABAC policy or a separate set of policies for your IAM principals. You can design these ABAC policies to allow operations when the principal's tag matches the resource tag. For more information, see [What is ABAC for Amazon?](https://docs.amazonaws.cn/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) in the *IAM User Guide*.
**Note**
Don’t add personally identifiable information (PII) or other confidential or sensitive information in tags. Tags are accessible to many Amazon Web Services services, including Amazon Billing. For more tagging best practices, see [Tagging your Amazon resources](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-best-practices) in the *Amazon Web Services General Reference*.
### Remediation
To add tags to a CloudTrail trail, see [AddTags](https://docs.amazonaws.cn/awscloudtrail/latest/APIReference/API_AddTags.html) in the *Amazon CloudTrail API Reference*.
## [CloudTrail.10] CloudTrail Lake event data stores should be encrypted with customer managed Amazon KMS keys
**Related requirements:** NIST.800-53.r5 AU-9, NIST.800-53.r5 CA-9(1), NIST.800-53.r5 CM-3(6), NIST.800-53.r5 SC-7(10), NIST.800-53.r5 SC-12(2), NIST.800-53.r5 SC-13, NIST.800-53.r5 SC-28, NIST.800-53.r5 SC-28(1), NIST.800-53.r5 SI-7(6)
**Category:** Protect > Data Protection > Encryption of data-at-rest
**Severity:** Medium
**Resource type:** `AWS::CloudTrail::EventDataStore`
**Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/event-data-store-cmk-encryption-enabled.html](https://docs.amazonaws.cn/config/latest/developerguide/event-data-store-cmk-encryption-enabled.html)
**Schedule type:** Periodic
**Parameters:**
| Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value |
| --- | --- | --- | --- | --- |
| `kmsKeyArns` | A list of Amazon Resource Names (ARNs) of Amazon KMS keys to include in the evaluation. The control generates a `FAILED` finding if an event data store isn't encrypted with a KMS key in the list. | StringList (maximum of 3 items) | 1–3 ARNs of existing KMS keys. For example: `arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`. | No default value |
This control checks whether an Amazon CloudTrail Lake event data store is encrypted at rest with a customer managed Amazon KMS key. The control fails if the event data store isn't encrypted with a customer managed KMS key. You can optionally specify a list of KMS keys for the control to include in the evaluation.
By default, Amazon CloudTrail Lake encrypts event data stores with Amazon S3 managed keys (SSE-S3), using an AES-256 algorithm. For additional control, you can configure CloudTrail Lake to encrypt an event data store with a customer managed Amazon KMS key (SSE-KMS) instead. A customer managed KMS key is an Amazon KMS key that you create, own, and manage in your Amazon Web Services account. You have full control over this type of KMS key. This includes defining and maintaining the key policy, managing grants, rotating cryptographic material, assigning tags, creating aliases, and enabling and disabling the key. You can use a customer managed KMS key in cryptographic operations for your CloudTrail data and audit usage with CloudTrail logs.
### Remediation
For information about encrypting an Amazon CloudTrail Lake event data store with an Amazon KMS key that you specify, see [Update an event data store](https://docs.amazonaws.cn/awscloudtrail/latest/userguide/query-event-data-store-update.html) in the *Amazon CloudTrail User Guide*. After you associate an event data store with a KMS key, the KMS key can't be removed or changed.