1
Resources
7
Total Findings
6
Rules Executed
18
Unique Rules
0
Exception
2.829s
Timespent
Summary
Filter
EnableTrailS3BucketMFADelete
Security- Description
- You have not enabled MFA delete on 1 CloudTrail buckets. Turn on multifactor authenthication (MFA) on CloudTrail S3 bucket to avoid advertent of inadvertent delete of your critical cloudtrail data that can be used to perform forensics for security incidents and identify potential source of compromise.
- Resources
- ap-southeast-1: Cloudtrail::IsengardTrail-DO-NOT-DELETE
- Recommendation
- S3 Enable MFA Delete
- Delete with MFA enabled file in S3
EnableTrailS3BucketVersioning
Reliability- Description
- You have not enabled versioning on 1 CloudTrail buckets. Versioning in Amazon S3 is a means of keeping multiple variants of an object in the same bucket. You can use the S3 Versioning feature to preserve, retrieve, and restore every version of every object stored in your buckets.With versioning you can recover more easily from both unintended user actions and application failures.
- Resources
- ap-southeast-1: Cloudtrail::IsengardTrail-DO-NOT-DELETE
- Recommendation
- Configure S3 bucket versioning
- Resilience in CloudTrail
EnableTrailS3BucketLogging
Reliability- Description
- You have not enabled server access logging in 1 CloudTrail buckets. By enabling S3 bucket logging on target S3 buckets, you can capture all events that might affect objects in a target bucket. Configuring logs to be placed in a separate bucket enables access to log information, which can be useful in security and incident response workflows.
- Resources
- ap-southeast-1: Cloudtrail::IsengardTrail-DO-NOT-DELETE
- Label
- Cost Incurred
- Recommendation
- Configure S3 Logging
- Resilience in CloudTrail
SetupSNSTopicForTrail
Operation Excellence- Description
- You can be notified when CloudTrail publishes new log files to your Amazon S3 bucket. You manage notifications using Amazon Simple Notification Service (Amazon SNS).
- Resources
- ap-southeast-1: Cloudtrail::IsengardTrail-DO-NOT-DELETE
- Label
- Cost Incurred
- Recommendation
- Configure SNS for CloudTrail
CloudWatchLogsLogGroupArn
Operation Excellence- Description
- Sending CloudTrail logs to CloudWatch Logs facilitates real-time and historic activity logging based on user, API, resource, and IP address. You can use this approach to establish alarms and notifications for anomalous or sensitivity account activity.
- Resources
- ap-southeast-1: Cloudtrail::IsengardTrail-DO-NOT-DELETE
- Label
- Cost Incurred
- Recommendation
- Using CloudWatch Logs with CloudTrail
RequiresKmsKey
Security- Description
- You have not enabled server side encryption (SSE) on 1 CloudTrail buckets which automatically encrypts objects uploaded to the bucket. If this bucket contains non-publically-available data, and you are not implementing client-side encryption, please enable SSE.
- Resources
- ap-southeast-1: Cloudtrail::IsengardTrail-DO-NOT-DELETE
- Recommendation
- Encrypt CloudTrail using AWS KMS
- CloudTrail Security Best Practices
HasInsightSelectors
Operation Excellence- Description
- CloudTrail Insights analyzes your normal patterns of API call volume and API error rates, also called the baseline, and generates Insights events when the call volume or error rates are outside normal patterns. Insights events on API call volume are generated for write management APIs, and Insights events on API error rate are generated for both read and write management APIs.
- Resources
- ap-southeast-1: Cloudtrail::IsengardTrail-DO-NOT-DELETE
- Label
- Cost Incurred
- Recommendation
- Insight events
Detail
ap-southeast-1
1. IsengardTrail-DO-NOT-DELETE
| Check | Current Value | Recommendation |
|---|---|---|
| EnableTrailS3BucketMFADelete | Enable MFA delete | |
| EnableTrailS3BucketVersioning | Enable S3 Bucket versioning | |
| EnableTrailS3BucketLogging | Enable S3 Bucket Logging | |
| SetupSNSTopicForTrail | Enable SNS Topic | |
| CloudWatchLogsLogGroupArn | CloudWatch for CloudTrail | |
| RequiresKmsKey | Enable SSE | |
| HasInsightSelectors | Enable Insight Selectors |