AWS CloudTrail Modified
This rule monitors for modifications to AWS CloudTrails.
Risk
Remediation Effort
Medium
Low / High
CloudTrail is the AWS auditing service, and modifications may mean loss of sensitive audit data. AWS CloudTrails should be modified very rarely, and modifications closely monitored and approved.
Remediation
If this CloudTrail change was not planned, review the CloudTrail event history to see what changes were made and by who. Revert inappropriate changes, and revoke access as necessary. Remember that disabling/modifying CloudTrail can prevent future audit logs from being generated, investigate your AWS environment for other changes if logging was temporarily disabled.
References
CIS AWS Benchmark 3.5: "Ensure a log metric filter and alarm exist for CloudTrail configuration changes"
Last updated