Audit API calls
Enable, Centralize, and Secure AWS CloudTrail Logs
It is advisable to use AWS CloudTrail audit logs to investigate incidents by setting them to retain the logs for the period that your security policy determines. It is also recommended to centralize them into a Logging account to protect them from malicious access, or if you use a single account, control access to those logs using IAM policies.
If you use AWS Control Tower for Multi-Account Management , the Logging account is generated, where the logs are automatically centralized and protected.
Your security team should be trained to understand how to search and investigate CloudTrail Logs.
AWS CloudTrail Mindmap
https://www.xmind.net/m/sY4HG3
Risk Mitigation
- Protecting the logs is crucial in security investigations to make sure you know what adversaries did and reverse their actions, removing any potential access.
Guidance for assessments
- Do you have AWS Control Tower enabled ?
- if not:
- Have you enabled CloudTrail organizational trail ?
- Have you enabled SCPs to prevent adversaries from stopping the generation of CloudTrail logs and manipulating the log files ?
- How prepared is your team to investigate CloudTrail logs ?
Pricing
https://aws.amazon.com/cloudtrail/pricing
Management event activity that AWS CloudTrail recorded during the last 90 days can be viewed and filtered for free through the AWS CloudTrail console or using the AWS CLI.