Rules for configuring AWS's account logging features.

Rule Name

Description

Ensure CloudTrail is enabled in all regions (2.1)

It is recommended that CloudTrail is enabled in all regions.

Ensure CloudTrail log file validation is enabled (2.2)

It is recommended that file validation be enabled on all CloudTrails.

Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible (2.3)

It is recommended that the bucket policy, or access control list (ACL), is applied to the S3 bucket that CloudTrail logs to prevent public access to the CloudTrail logs.

Ensure CloudTrail trails are integrated with CloudWatch Logs (2.4)

It is recommended that CloudTrail logs be sent to CloudWatch Logs.

Ensure AWS Config is enabled in all regions (2.5)

It is recommended that AWS Config is enabled in all regions.

Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket (2.6)

It is recommended that bucket access logging be enabled on the CloudTrail S3 bucket.

Ensure CloudTrail logs are encrypted at rest using KMS CMKs (2.7)

It is recommended that CloudTrail be configured to use SSE-KMS.

Ensure rotation for customer created CMKs is enabled (2.8)

It is recommended that CMK key rotation be enabled.

Ensure VPC flow logging is enabled in all VPCs (2.9)

It is recommended that VPC Flow Logs be enabled for packet "Rejects" for VPCs.


What’s Next