3
Resources
19
Total Findings
18
Rules Executed
18
Unique Rules
0
Exception
16.576s
Timespent
Summary
Filter
SetupSNSTopicForTrail
Operation Excellence- Description
- You can be notified when CloudTrail publishes new log files to your Amazon S3 bucket. You manage notifications using Amazon Simple Notification Service (Amazon SNS).
- Resources
- ap-northeast-1: Cloudtrail::IsengardTrail-DO-NOT-DELETE | Cloudtrail::mys3buckettrail
- Label
- Cost Incurred
- Recommendation
- Configure SNS for CloudTrail
CloudWatchLogsLogGroupArn
Operation Excellence- Description
- Sending CloudTrail logs to CloudWatch Logs facilitates real-time and historic activity logging based on user, API, resource, and IP address. You can use this approach to establish alarms and notifications for anomalous or sensitivity account activity.
- Resources
- ap-northeast-1: Cloudtrail::IsengardTrail-DO-NOT-DELETE
- Label
- Cost Incurred
- Recommendation
- Using CloudWatch Logs with CloudTrail
RequiresKmsKey
Security- Description
- You have not enabled server side encryption (SSE) on 2 CloudTrail buckets which automatically encrypts objects uploaded to the bucket. If this bucket contains non-publically-available data, and you are not implementing client-side encryption, please enable SSE.
- Resources
- ap-northeast-1: Cloudtrail::IsengardTrail-DO-NOT-DELETE | Cloudtrail::aws-controltower-BaselineCloudTrail
- Recommendation
- Encrypt CloudTrail using AWS KMS
- CloudTrail Security Best Practices
HasInsightSelectors
Operation Excellence- Description
- CloudTrail Insights analyzes your normal patterns of API call volume and API error rates, also called the baseline, and generates Insights events when the call volume or error rates are outside normal patterns. Insights events on API call volume are generated for write management APIs, and Insights events on API error rate are generated for both read and write management APIs.
- Resources
- ap-northeast-1: Cloudtrail::IsengardTrail-DO-NOT-DELETE | Cloudtrail::aws-controltower-BaselineCloudTrail | Cloudtrail::mys3buckettrail
- Label
- Cost Incurred
- Recommendation
- Insight events
TrailDeliverError
Operation Excellence- Description
- Your Amazon CloudTrail trail(s) experiencing logs delivery errors. Review the error via `aws cloudtrail get-trail-status --name
` - Resources
- ap-northeast-1: Cloudtrail::IsengardTrail-DO-NOT-DELETE | Cloudtrail::aws-controltower-BaselineCloudTrail | Cloudtrail::mys3buckettrail
- Recommendation
- CloudTrail Delivery Error
EnableTrailS3BucketMFADelete
Security- Description
- You have not enabled MFA delete on 2 CloudTrail buckets. Turn on multifactor authenthication (MFA) on CloudTrail S3 bucket to avoid advertent of inadvertent delete of your critical cloudtrail data that can be used to perform forensics for security incidents and identify potential source of compromise.
- Resources
- ap-northeast-1: Cloudtrail::IsengardTrail-DO-NOT-DELETE | Cloudtrail::mys3buckettrail
- Recommendation
- S3 Enable MFA Delete
- Delete with MFA enabled file in S3
EnableTrailS3BucketVersioning
Reliability- Description
- You have not enabled versioning on 2 CloudTrail buckets. Versioning in Amazon S3 is a means of keeping multiple variants of an object in the same bucket. You can use the S3 Versioning feature to preserve, retrieve, and restore every version of every object stored in your buckets.With versioning you can recover more easily from both unintended user actions and application failures.
- Resources
- ap-northeast-1: Cloudtrail::IsengardTrail-DO-NOT-DELETE | Cloudtrail::mys3buckettrail
- Recommendation
- Configure S3 bucket versioning
- Resilience in CloudTrail
EnableTrailS3BucketLogging
Reliability- Description
- You have not enabled server access logging in 2 CloudTrail buckets. By enabling S3 bucket logging on target S3 buckets, you can capture all events that might affect objects in a target bucket. Configuring logs to be placed in a separate bucket enables access to log information, which can be useful in security and incident response workflows.
- Resources
- ap-northeast-1: Cloudtrail::IsengardTrail-DO-NOT-DELETE | Cloudtrail::mys3buckettrail
- Label
- Cost Incurred
- Recommendation
- Configure S3 Logging
- Resilience in CloudTrail
EnableCloudTrailLogging
Operation Excellence- Description
- You have 1 CloudTrail that is not currently logging AWS API calls
- Resources
- ap-northeast-1: Cloudtrail::mys3buckettrail
- Label
- Cost Incurred
- Recommendation
- Stop/Start Logging
EnableTrailS3BucketLifecycle
Cost Optimization- Description
- You have not configured lifecycle policies for objects in 1 CloudTrail buckets. Lifecycle configuration is a set of rules that define actions that Amazon S3 applies to a group of objects. This will save you cost by moving infrequently accessed objects to lower cost storage tiers and expiring objects that are no longer needed.
- Resources
- ap-northeast-1: Cloudtrail::mys3buckettrail
- Label
- Cost Incurred (maybe)
- Recommendation
- Configure S3 bucket lifecycle
- Resilience in CloudTrail
Detail
ap-northeast-1
1. IsengardTrail-DO-NOT-DELETE
| Check | Current Value | Recommendation |
|---|---|---|
| SetupSNSTopicForTrail | Enable SNS Topic | |
| CloudWatchLogsLogGroupArn | CloudWatch for CloudTrail | |
| RequiresKmsKey | Enable SSE | |
| HasInsightSelectors | Enable Insight Selectors | |
| TrailDeliverError | None | Review latest delivery error |
| EnableTrailS3BucketMFADelete | Enable MFA delete | |
| EnableTrailS3BucketVersioning | Enable S3 Bucket versioning | |
| EnableTrailS3BucketLogging | Enable S3 Bucket Logging |
2. aws-controltower-BaselineCloudTrail
| Check | Current Value | Recommendation |
|---|---|---|
| RequiresKmsKey | Enable SSE | |
| HasInsightSelectors | Enable Insight Selectors | |
| TrailDeliverError | None | Review latest delivery error |
3. mys3buckettrail
| Check | Current Value | Recommendation |
|---|---|---|
| SetupSNSTopicForTrail | Enable SNS Topic | |
| HasInsightSelectors | Enable Insight Selectors | |
| EnableCloudTrailLogging | Enable logging of AWS API calls | |
| TrailDeliverError | None | Review latest delivery error |
| EnableTrailS3BucketMFADelete | Enable MFA delete | |
| EnableTrailS3BucketVersioning | Enable S3 Bucket versioning | |
| EnableTrailS3BucketLogging | Enable S3 Bucket Logging | |
| EnableTrailS3BucketLifecycle | Off | Enable S3 Bucket Lifecycle |