search

bcgov / cloud-pathfinder

This is the technology and UX backend repo for the cloud pathfinder ZenHub task board
https://app.zenhub.com/workspaces/cloud-pathfinder-5e4dbb426c3c6af8dcbf06a7/board?repos=241742911
Creative Commons Zero v1.0 Universal
2 stars 8 forks source link

Cloudtrail log file validation #3063

Closed NickCorcoran closed 1 month ago

NickCorcoran commented 2 months ago

Importance and Impact: To determine whether a log file was modified, deleted, or unchanged after CloudTrail delivered it, you can use CloudTrail log file integrity validation. This feature is built using industry standard algorithms: SHA-256 for hashing and SHA-256 with RSA for digital signing.

In case of compromise, first thing malicious actor would do is to turn off the cloudtrail and temper cloudtrail log files which poses security risks that prevent identifying origination of the attack source

Recommendations: 1/ Turn on CloudTrail log file validation so that any changes made to the log file itself after it has been delivered to the S3 bucket is trackable to ensure log file integrity.

2/ Minimize access to the CloudTrail API. Revoke permissions for DeleteTrail, StopLogging, UpdateTrail

3/ This ensures cloudtrail logs cannot be tempered in case of compromise and ensures to identify reason of compromise

NickCorcoran commented 1 month ago

Already enabled with the Organization Cloud Trail.