AWS CloudTrail Monitor

Detect if and when CloudTrail logging is disabled or modified.

AWS CloudTrail Monitor

​Deploy AWS CloudTrail Monitor in Vectrix​

Description

AWS CloudTrail Status helps avoid inappropriate and unauthorized users from gaining access to AWS IAM. It periodically queries AWS APIs for IAM account data within your AWS account and will alert to your configured output upon any detected issues (see Alerts List).

Access & Configuration

Alerts

Trail Created

Context: An AWS CloudTrail Trail has been created to create/store activity logs across specified AWS services. This could be used for analyzing account activity or gathering intel.

Action: Navigate to the CloudTrail Console via the AWS Management Console and review newly created CloudTrail Trails for suspicious AWS logging being conducted (AWS Documentation).

Trail Deleted

Context: An AWS CloudTrail Trail has been deleted to no longer create/store activity logs of AWS services. This could be done to hide malicious or unauthorized activity.

Action: Navigate to the CloudTrail Console via the AWS Management Console and review missing CloudTrail Trails that have been deleted (AWS Documentation).

Trail Logging Disabled

Context: An AWS CloudTrail Trail has been disabled to no longer create/store activity logs of AWS services. This could be done to hide malicious or unauthorized activity.

Action: Navigate to the CloudTrail Console via the AWS Management Console and review CloudTrail Trails that have been disabled (AWS Documentation - see Step 5).

Sample Alert

Sample Alert: Trail Disabled