CloudTrail Best Practices
If you are using AWS Organizations, you can use AWS CloudTrail to log all events for all AWS accounts in your organization. We recommend enabling this, since having logs available is critical when addressing security incidents. In addition to being our recommendation, enabling CloudTrail is a CIS Benchmark and an AWS security best practice.
For information about enabling AWS CloudTrail, see Amazon's guide Getting Started with AWS CloudTrail.
Recommendations
- Have log data accessible for up to 1 year.
- Ensure that CloudWatch logs are tightly controlled. We recommend storing logs in a secured S3 bucket and only granting CloudWatch permissions to a limited selection of users.
- Create CloudWatch alarms that post to an AWS Simple Notification Service (SNS) endpoint. This way, you will be notified of suspicious or critical events. For more information, see Amazon's article Configuring Amazon SNS notifications for CloudTrail.