Security Best Practices for AWS CloudTrail

Edward Smith / 10.02.18

AWS CloudTrail captures a log of all API calls for an AWS account and its services. It also enables continuous monitoring and post-incident forensic investigations of AWS by providing an audit trail of all activities across your AWS infrastructure.  

What’s the risk if CloudTrial is misconfigured?

If properly enabled, CloudTrail contains logs about everything that happens in an account and stores the information in dedicated S3 buckets. Completeness and integrity of this data can be critical for compliance and forensics purposes. But if left unsecured, this information could be exposed, allowing attackers to:

  • Perform reconnaissance on the account, identifying users, roles, etc., that may be easily exploited
  • Cover their tracks by deleting and modifying logs
  • Destroy critical forensic and compliance data.

How does Halo Cloud Secure help?

Halo Cloud Secure provides security visibility to help ensure that AWS CloudTrail:

  • Is running in all regions for all global services, so that the data is available in case it’s needed for compliance or forensics
  • Is integrated with CloudWatch (to alert on anomalies, etc.)
  • Is protected by MFA, access logging, file integrity, and encryption
  • Data is not publicly accessible
  • Is not referencing SNS topics that don’t exist, so any SNS related workflows will be functional.

Learn more about how Halo Cloud Secure can help you reduce your AWS attack surface. You can read more about our AWS solutions here, or request a customized demo.