Are control-plane logs (CloudTrail, Activity Log, Audit Log) enabled, centralised, and monitored?
Demonstrate that control-plane audit logs are enabled comprehensively across all cloud subscriptions/accounts and regions, aggregated into a centralized repository with integrity protections, and actively monitored for security-relevant events.
Description
What this control does
Control-plane logs (AWS CloudTrail, Azure Activity Log, GCP Cloud Audit Logs) record API calls, administrative actions, and configuration changes across cloud infrastructure. Enabling these logs across all regions and accounts, centralizing them in a tamper-resistant storage location (such as a dedicated logging account or SIEM), and establishing automated monitoring ensures visibility into potentially malicious or erroneous privileged operations. This control is foundational for incident response, forensic investigation, compliance validation, and detection of lateral movement or privilege escalation in cloud environments.
Control objective
What auditing this proves
Demonstrate that control-plane audit logs are enabled comprehensively across all cloud subscriptions/accounts and regions, aggregated into a centralized repository with integrity protections, and actively monitored for security-relevant events.
Associated risks
Risks this control addresses
- Unauthorized API calls or privilege escalation attempts go undetected due to missing or incomplete audit logs
- Attackers disable or delete CloudTrail/Activity Logs in compromised accounts to erase evidence of malicious activity
- Configuration drift or unauthorized infrastructure changes occur without attribution or accountability
- Insider threats exfiltrate data or modify critical resources without triggering alerts due to lack of monitoring
- Incident response and forensic investigations are impaired by log gaps, missing regional coverage, or decentralized storage
- Compliance violations (GDPR, HIPAA, PCI-DSS audit trail requirements) occur due to insufficient retention or integrity controls
- Delayed detection of compromised credentials or stolen access keys used to manipulate cloud resources
Testing procedure
How an auditor verifies this control
- Inventory all active cloud accounts, subscriptions, projects, and organizational units across AWS, Azure, and GCP environments in scope.
- Review control-plane logging configurations (CloudTrail trails, Azure Activity Log diagnostic settings, GCP Audit Logs) to verify enablement status for each account/subscription and confirm multi-region or global coverage.
- Examine log delivery destinations to confirm centralization into a dedicated logging account, Log Analytics workspace, Cloud Storage bucket, or third-party SIEM with appropriate access controls.
- Verify integrity protections such as log file validation (CloudTrail), immutable storage settings, or write-once-read-many configurations to prevent tampering or deletion.
- Sample recent control-plane log entries (within past 7 days) and validate presence of critical event types including IAM changes, security group modifications, resource deletions, and authentication events.
- Review SIEM or monitoring tool configurations to confirm automated alerting rules exist for high-risk events such as CloudTrail deletion attempts, root account usage, or unusual API call patterns.
- Test alert generation by simulating a control-plane event (e.g., creating a test IAM role or modifying a network security group) and verifying timely alert delivery to security operations personnel.
- Examine log retention policies and backup procedures to confirm compliance with regulatory requirements and organizational retention standards (typically 90 days to 7 years).