AWS CloudTrail event selector does not cover all management events
Description
AlphaSOC detected limited coverage of management events in Amazon CloudTrail event selectors. CloudTrail provides audit logs of account activity and API usage for security analysis and compliance purposes. Restricting management event logging can reduce visibility into administrative operations and potentially mask unauthorized actions.
Impact
Incomplete CloudTrail coverage creates blind spots in account monitoring, potentially allowing adversaries to make unauthorized changes without generating logs. These changes may include privilege escalation, infrastructure modification, or data exfiltration. Gaps in logging can hamper incident response and complicate forensic investigations. They may also lead to compliance issues due to insufficient audit trails.
Severity
| Severity | Condition |
|---|---|
Low | AWS CloudTrail event selector not covering all management events |
Investigation and Remediation
Review CloudTrail configurations across all regions to identify those lacking full management event coverage. Examine the preceding AWS activity to determine whether the change was authorized. Configure comprehensive logging for management events, implement configuration baselines using AWS Config or Service Control Policies. Monitor for configuration changes, and consider implementing automated remediation if critical logging settings are modified.
Known False Positives
- Event filtering for high-volume API calls that generate excessive log entries