CloudTrail Protection

Policy Description

What this SCP does

This Service Control Policy (SCP) prevents tampering with CloudTrail logs by blocking attempts to delete trails, update configurations, or stop logging activities. This ensures audit logs remain intact for compliance and security investigations.

The policy explicitly denies the deletion of trails, updates to trail configurations, and stopping of logging. This preserves the integrity of your audit trail even if someone gains unauthorized access to your AWS account.

Validation Strategy

How to test this SCP works

To validate this SCP, try to delete, update, or stop logging for a CloudTrail trail:

Valid test: Create a new CloudTrail trail (should succeed)
Valid test: Start logging on a trail (should succeed)
Invalid test: Delete a trail (should be denied)
Invalid test: Update a trail's configuration (should be denied)
Invalid test: Stop logging on a trail (should be denied)

We expect creation of trails and starting logging to succeed, while any operations that would tamper with existing trails (delete, update, stop logging) should be denied with an AccessDenied error.

SCP Policy & Validation Scenarios

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "BlockCloudTrailTampering",
      "Effect": "Deny",
      "Action": [
        "cloudtrail:DeleteTrail",
        "cloudtrail:UpdateTrail",
        "cloudtrail:StopLogging"
      ],
      "Resource": "*"
    }
  ]
}

# Create a test trail (if allowed)
aws cloudtrail create-trail \
    --name test-scp-trail \
    --s3-bucket-name my-cloudtrail-bucket

# Start logging on the trail
aws cloudtrail start-logging --name test-scp-trail

# Try to delete the trail (this should be denied)
aws cloudtrail delete-trail --name test-scp-trail

# Try to update the trail (this should be denied)
aws cloudtrail update-trail \
    --name test-scp-trail \
    --is-multi-region-trail

# Try to stop logging (this should be denied)
aws cloudtrail stop-logging --name test-scp-trail

import boto3

# Initialize CloudTrail client
cloudtrail_client = boto3.client('cloudtrail')
s3_client = boto3.client('s3')

# Create test resources
try:
    # Create S3 bucket for trail (if it doesn't exist)
    bucket_name = 'my-cloudtrail-bucket-test'
    try:
        s3_client.create_bucket(Bucket=bucket_name)
        print(f"Created bucket for CloudTrail logs: {bucket_name}")
    except Exception as e:
        print(f"Note: {e}")
    
    # Create a test trail
    try:
        cloudtrail_client.create_trail(
            Name='test-scp-trail',
            S3BucketName=bucket_name,
            IsMultiRegionTrail=False
        )
        print("Created test CloudTrail trail")
        
        # Start logging
        cloudtrail_client.start_logging(Name='test-scp-trail')
        print("Started logging on test trail")
        
        # Try to delete the trail (this should be denied)
        try:
            cloudtrail_client.delete_trail(Name='test-scp-trail')
            print("WARNING: Successfully deleted trail - SCP is NOT restricting as expected")
        except Exception as e:
            print(f"Expected error for delete trail if SCP is working: {e}")
        
        # Try to update the trail (this should be denied)
        try:
            cloudtrail_client.update_trail(
                Name='test-scp-trail',
                IsMultiRegionTrail=True
            )
            print("WARNING: Successfully updated trail - SCP is NOT restricting as expected")
        except Exception as e:
            print(f"Expected error for update trail if SCP is working: {e}")
        
        # Try to stop logging (this should be denied)
        try:
            cloudtrail_client.stop_logging(Name='test-scp-trail')
            print("WARNING: Successfully stopped logging - SCP is NOT restricting as expected")
        except Exception as e:
            print(f"Expected error for stop logging if SCP is working: {e}")
            
    except Exception as e:
        print(f"Could not create test trail: {e}")
        
except Exception as e:
    print(f"Error setting up test environment: {e}")