MEDIUM CloudWatch · CIS 4.5

CloudTrail config changes alarm

Check ID: aws-cw-005

AWS-CW-005 is an AWS security check performed by cloud-audit, an open-source AWS security scanner. Checks if a CloudWatch metric filter and alarm exist to detect CloudTrail configuration changes (CreateTrail, DeleteTrail, UpdateTrail, StopLogging). Without this monitoring, an attacker can disable logging undetected.

Why it matters

One of the first actions a sophisticated attacker takes after gaining access is disabling CloudTrail to eliminate the audit trail of their subsequent activities. The StopLogging API call is particularly dangerous because it silently disables logging without deleting the trail. In the 2020 SolarWinds attack, the threat actor (Nobelium) specifically targeted logging infrastructure to avoid detection. Without real-time alerting on CloudTrail configuration changes, an attacker could disable logging, perform destructive actions, and re-enable logging before anyone notices the gap. This is one of the most critical CIS monitoring controls because it protects the integrity of all other monitoring.

Common causes

Teams assume that CloudTrail is a set-and-forget service that will always run once configured. SCPs can prevent CloudTrail modification but are only available in AWS Organizations setups. In accounts managed by multiple teams, the person who set up CloudTrail may not be the same person responsible for monitoring, creating a gap where configuration changes go unwatched.

Detection

Run cloud-audit to detect this issue:

pip install cloud-audit
cloud-audit scan -R

The -R flag includes remediation details for every finding, including this one.

Remediation: AWS CLI

# Create metric filter:
aws logs put-metric-filter \
  --log-group-name <CLOUDTRAIL_LOG_GROUP> \
  --filter-name CIS-4.5 \
  --filter-pattern '{ ($.eventName = CreateTrail) || ($.eventName = UpdateTrail) || ($.eventName = DeleteTrail) || ($.eventName = StartLogging) || ($.eventName = StopLogging) }' \
  --metric-transformations metricName=CIS-4-5,metricNamespace=CISBenchmark,metricValue=1
# Create alarm:
aws cloudwatch put-metric-alarm \
  --alarm-name CIS-4.5 \
  --metric-name CIS-4-5 \
  --namespace CISBenchmark \
  --statistic Sum --period 300 --threshold 1 \
  --comparison-operator GreaterThanOrEqualToThreshold \
  --evaluation-periods 1 \
  --alarm-actions <SNS_TOPIC_ARN>

Remediation: Terraform

resource "aws_cloudwatch_log_metric_filter" "cis_4_5" {
  name           = "CIS-4.5"
  log_group_name = aws_cloudwatch_log_group.cloudtrail.name
  pattern        = "{ ($.eventName = CreateTrail) || ($.eventName = UpdateTrail) || ($.eventName = DeleteTrail) || ($.eventName = StartLogging) || ($.eventName = StopLogging) }"

  metric_transformation {
    name      = "CIS-4-5"
    namespace = "CISBenchmark"
    value     = "1"
  }
}

resource "aws_cloudwatch_metric_alarm" "cis_4_5" {
  alarm_name          = "CIS-4.5"
  metric_name         = "CIS-4-5"
  namespace           = "CISBenchmark"
  statistic           = "Sum"
  period              = 300
  threshold           = 1
  comparison_operator = "GreaterThanOrEqualToThreshold"
  evaluation_periods  = 1
  alarm_actions       = [aws_sns_topic.alerts.arn]
}

Compliance mapping

This check maps to CIS 4.5 in the CIS AWS Foundations Benchmark. The CIS Benchmark provides prescriptive guidance for configuring security options for a subset of AWS services.

This check is part of cloud-audit - install with pip install cloud-audit

Related article

CIS AWS v3.0 in 60 Seconds: Automate Compliance with Terraform →

Related CloudWatch checks

HIGH aws-cw-001

Root account usage alarm

MEDIUM aws-cw-002

Unauthorized API calls alarm

MEDIUM aws-cw-003

Console sign-in without MFA alarm

← All checks