CloudTrail Ruleset Compliance Matrix
CloudTrail Rulesets Overview
F5 Distributed Cloud App Infrastructure Protection (AIP) provides a CloudTrail Ruleset to help you get started on your security journey. We recognize that the CloudTrail Ruleset may not meet your organization's specific needs and so we created alternate compliance rulesets based on:
- HIPAA
- ISO 27001
- MPAA
- PCI
- SOC2
Distributed Cloud AIP also uses rules in the base ruletset to mitigate risky activity recognized by the MITRE ATT&CK Matrices.
CloudTrail Rulesets
To help clarify how these other compliance rulesets compare to the CloudTrail Base Ruleset, we created comparison charts for each compliance ruleset.
HIPAA ISO 27001 MPAA PCI SOC2
| CloudTrail Ruleset | Supports Criteria | MITRE Criteria |
|---|---|---|
| CloudTrail: Access Denied | N/A | T1595 |
| CloudTrail: AWS Kinesis Stream Changes | N/A | T1578 |
| CloudTrail: AWS Network Firewall Changes | N/A | T1578, T1562 |
| CloudTrail: AWS Organizations Activity | N/A | T1578 |
| CloudTrail: AWS Support Case Changes | N/A | T1578 |
| CloudTrail: AWS Support Information Discovery | N/A | T1580, T1538, T1526, T1087 |
| CloudTrail: Certificate Manager Changes | N/A | T1578 |
| CloudTrail: Certificate Manager Information Discovery | N/A | T1580, T1538, T1526, T1087 |
| CloudTrail: CloudTrail Admin Activity | N/A | T1578, T1562 |
| CloudTrail: Console Login by Root | HIPAA 164.308(a)(5)(ii)(C) | T1578, T1078 |
| CloudTrail: Console Login: MFA Not Used | HIPAA 164.308(a)(5)(ii)(C) | N/A |
| CloudTrail: Console Login: Root Password Change | HIPAA 164.308(a)(5)(ii)(D) | T1578 |
| CloudTrail: DirectConnect Information Discovery | N/A | T1580, T1538, T1526, T1087 |
| CloudTrail: DirectConnect Policy Changes | N/A | T1578 |
| CloudTrail: DynamoDB Backup Created | N/A | T1578 |
| CloudTrail: DynamoDB Backup Deleted | N/A | |
| CloudTrail: DynamoDB Information Discovery | N/A | T1580, T1538, T1526, T1087 |
| CloudTrail: DynamoDB Table Created | N/A | T1578 |
| CloudTrail: DynamoDB Table Deleted | N/A | T1578 |
| CloudTrail: EC2 Information Discovery | N/A | T1580, T1538, T1526, T1087 |
| CloudTrail: EC2 Instance in Non-Standard Region | N/A | T1583, T1578, T1535, T1496 |
| CloudTrail: EC2 KeyPair Changes | HIPAA 164.312(c)(1) | T1578 |
| CloudTrail: EC2 RunInstances | N/A | T1583, T1578, T1525, T1496 |
| CloudTrail: EC2 Security Group Changes | HIPAA 164.312(c)(1) | T1578, T1562 |
| CloudTrail: EC2 Service Changes | HIPAA 164.312(c)(1) | T1578 |
| CloudTrail: EC2 Started with Non-Standard Image ID | HIPAA 164.312(c)(1) | T1583, T1578, T1525 |
| CloudTrail: EC2 Started in Non-Standard VPC | HIPAA 164.312(c)(1) | T1583, T1578 |
| CloudTrail: EC2 Wide Open Security Group | HIPAA 164.312(c)(1) | T1578, T1562 |
| CloudTrail: ECR Create Repository | N/A | T1578, T1525 |
| CloudTrail: ECR Delete Repository | N/A | T1578 |
| CloudTrail: ECR Image Scan Findings - Severity CRITICAL | N/A | N/A |
| CloudTrail: ECR Image Scan Findings - Severity HIGH | N/A | N/A |
| CloudTrail: ECR Image Scan Findings - Severity MEDIUM | N/A | N/A |
| CloudTrail: ECR Put Image | N/A | T1578, T1525 |
| CloudTrail: ECR Put Image Scanning Configuration | N/A | T1578 |
| CloudTrail: ECR Set Repository Policy | N/A | T1578 |
| CloudTrail: ECS Account Setting Changes | N/A | T1578 |
| CloudTrail: ECS Attribute Changes | N/A | T1578 |
| CloudTrail: ECS Cluster Changes | N/A | T1578 |
| CloudTrail: ECS Container Instance Changes | N/A | T1578 |
| CloudTrail: ECS Resource Tag Changes | N/A | T1578 |
| CloudTrail: ECS Service Changes | N/A | T1578 |
| CloudTrail: ECS Task Definition Changes | N/A | T1578 |
| CloudTrail: ECS Task Set Changes | N/A | T1578 |
| CloudTrail: ECS Task State Changes | N/A | T1578 |
| CloudTrail: ECS UpdateContainerAgent | N/A | T1578 |
| CloudTrail: EKS Cluster Changes | N/A | T1578 |
| CloudTrail: EKS Information Discovery | N/A | T1580, T1538, T1526, T1087 |
| CloudTrail: ELB Changes | N/A | T1578 |
| CloudTrail: ELB Information Discovery | N/A | T1580, T1538, T1526, T1087 |
| CloudTrail: ELB Listener Changes | N/A | T1578 |
| CloudTrail: ELB Rule Changes | N/A | T1578 |
| CloudTrail: ELB Target Changes | N/A | T1578 |
| CloudTrail: Glacier Vault Information Discovery | N/A | T1580, T1538, T1526, T1087 |
| CloudTrail: Glacier Vault Changes | N/A | T1578 |
| CloudTrail: IAM Access Key Changes | N/A | T1578, T1098 |
| CloudTrail: IAM Compromised Key Activity | N/A | N/A |
| CloudTrail: IAM GetAccountAuthorizationDetails | N/A | N/A |
| CloudTrail: IAM Group Changes | N/A | T1578 |
| CloudTrail: IAM Information Discovery | N/A | T1580, T1538, T1526, T1087, T1069 |
| CloudTrail: IAM Instance Profile Changes | N/A | T1578 |
| CloudTrail: IAM Policy Changes | N/A | T1578, T1556 |
| CloudTrail: IAM Role Changes | N/A | T1578 |
| CloudTrail: IAM SAML Changes | N/A | T1578 |
| CloudTrail: IAM SSH Key Changes | N/A | T1578, T1098 |
| CloudTrail: IAM User Changes | N/A | T1578, T1531, T1136 |
| CloudTrail: KMS Key Activity | N/A | T1578, T1098 |
| CloudTrail: KMS Key Alias Activity | N/A | T1578, T1098 |
| CloudTrail: Lambda Function Created | N/A | T1578 |
| CloudTrail: Lambda Function Deleted | N/A | T1578 |
| CloudTrail: Lambda Permission Changes | N/A | T1578 |
| CloudTrail: MFA Device Changes | N/A | T1556 |
| CloudTrail: RDS Changes | N/A | T1578 |
| CloudTrail: RDS Information Discovery | N/A | T1580, T1538, T1526, T1087 |
| CloudTrail: Route53 DNS Record Changes | N/A | T1578 |
| CloudTrail: Route53 DNS Zone Created | N/A | T1578 |
| CloudTrail: Route53 DNS Zone Deleted | N/A | T1578 |
| CloudTrail: Route53 ListHostedZones | N/A | N/A |
| CloudTrail: S3 Bucket Policy Changes | HIPAA 164.312(c)(1) | T1578, T1530 |
| CloudTrail: S3 Create Bucket | HIPAA 164.312(c)(1) | T1578 |
| CloudTrail: S3 Delete Bucket | HIPAA 164.312(c)(1) | T1578 |
| CloudTrail: S3 File Tracking | HIPAA 164.312(c)(1) | T1578, T1530 |
| CloudTrail: SES Changes | N/A | T1578 |
| CloudTrail: SES Information Discovery | N/A | T1580, T1538, T1526, T1087 |
| CloudTrail: SNS Changes | N/A | T1578 |
| CloudTrail: SNS Information Discovery | N/A | T1580, T1538, T1526, T1087 |
| Cloudtrail: Spot Instances | N/A | T1583, T1578, T1525, T1496 |
| CloudTrail: SQS Changes | N/A | T1578 |
| CloudTrail: SQS Information Discovery | N/A | T1580, T1538, T1526, T1087 |
| CloudTrail: SSM Cancel Command | N/A | N/A |
| CloudTrail: SSM Create Component | N/A | T1578 |
| CloudTrail: SSM Delete Component | N/A | T1578 |
| CloudTrail: SSM Information Discovery | N/A | T1580, T1538, T1526, T1087 |
| CloudTrail: SSM Resume Session | N/A | N/A |
| CloudTrail: SSM Send Command | N/A | N/A |
| CloudTrail: SSM Session Terminated | N/A | N/A |
| CloudTrail: SSM Start Automation Execution | N/A | N/A |
| CloudTrail: SSM Start Session | N/A | N/A |
| CloudTrail: STS AssumeRole | N/A | N/A |
| CloudTrail: STS GetCallerIdentity | N/A | N/A |
| CloudTrail: STS GetFederationToken | N/A | N/A |
| CloudTrail: STS GetSessionToken | N/A | N/A |
| CloudTrail: TransitGateway Activity | N/A | T1578 |
| CloudTrail: VPC ACL Changes | N/A | T1578 |
| CloudTrail: VPC ACL Information Discovery | N/A | T1580, T1538, T1526, T1087 |
| CloudTrail: VPC Changes | N/A | T1578 |
| CloudTrail: VPC Information Discovery | N/A | T1580, T1538, T1526, T1087 |
| CloudTrail: VPC Interface Changes | N/A | T1578 |
| CloudTrail: VPC Interface Information Discovery | N/A | T1580, T1538, T1526, T1087 |
| CloudTrail: VPC Route Changes | N/A | T1578 |
| CloudTrail: VPC Subnet Changes | N/A | T1578, T1562 |
| CloudTrail: VPC Subnet Information Discovery | N/A | T1580, T1538, T1526, T1087 |
| CloudTrail: WAF Changes | N/A | T1578, T1562 |
| CloudTrail Ruleset | Supports Criteria | MITRE Criteria |
|---|---|---|
| CloudTrail: Access Denied | N/A | T1595 |
| CloudTrail: AWS Kinesis Stream Changes | N/A | T1578 |
| CloudTrail: AWS Network Firewall Changes | N/A | T1578, T1562 |
| CloudTrail: AWS Organizations Activity | N/A | T1578 |
| CloudTrail: AWS Support Case Changes | N/A | T1578 |
| CloudTrail: AWS Support Information Discovery | N/A | T1580, T1538, T1526, T1087 |
| CloudTrail: Certificate Manager Changes | ISO 27001 A. 12.3.1, A. 12.3.2 | T1578 |
| CloudTrail: Certificate Manager Information Discovery | N/A | T1580, T1538, T1526, T1087 |
| CloudTrail: CloudTrail Admin Activity | ISO 27001 A.10.10, A.12.4.1 and A.12.4.2 | T1578, T1562 |
| CloudTrail: Console Login by Root | ISO 27001 A.11.5.1, A.11.5.2 | T1578, T1078 |
| CloudTrail: Console Login: MFA Not Used | ISO 27001 A.11.5.1, A.11.5.2 | N/A |
| CloudTrail: Console Login: Root Password Change | ISO 27001 A.11.5.1, A.11.5.2, A.11.5.3 | T1578 |
| CloudTrail : DirectConnect Information Discovery | N/A | T1580, T1538, T1526, T1087 |
| CloudTrail: DirectConnect Policy Changes | N/A | T1578 |
| CloudTrail: DynamoDB Backup Created | N/A | T1578 |
| CloudTrail: DynamoDB Backup Deleted | N/A | T1578 |
| CloudTrail: DynamoDB Information Discovery | N/A | T1580, T1538, T1526, T1087 |
| CloudTrail: DynamoDB Table Created | N/A | T1578 |
| CloudTrail: DynamoDB Table Deleted | N/A | T1578 |
| CloudTrail: EC2 Information Discovery | N/A | T1580, T1538, T1526, T1087 |
| CloudTrail: EC2 Instance in Non-Standard Region | N/A | T1583, T1578, T1535, T1496 |
| CloudTrail: EC2 KeyPair Changes | ISO 27001 A.12.3.2 | T1578 |
| CloudTrail: EC2 RunInstances | N/A | T1583, T1578, T1525, T1496 |
| CloudTrail: EC2 Security Group Changes | ISO 27001 A.10.6, A.11.4.4, A.13.1 | T1578, T1562 |
| CloudTrail: EC2 Service Changes | N/A | T1578 |
| CloudTrail: EC2 Started with Non-Standard Image ID | N/A | T1583, T1578, T1525 |
| CloudTrail: EC2 Started in Non-Standard VPC | N/A | T1583, T1578 |
| CloudTrail: EC2 Wide Open Security Group | ISO 27001 A.13.1, A.11.4.4 | T1578, T1562 |
| CloudTrail: ECR Create Repository | N/A | T1578, T1525 |
| CloudTrail: ECR Delete Repository | N/A | T1578 |
| CloudTrail: ECR Image Scan Findings - Severity CRITICAL | N/A | N/A |
| CloudTrail: ECR Image Scan Findings - Severity HIGH | N/A | N/A |
| CloudTrail: ECR Image Scan Findings - Severity MEDIUM | N/A | N/A |
| CloudTrail: ECR Put Image | N/A | T1578, T1525 |
| CloudTrail: ECR Put Image Scanning Configuration | N/A | T1578 |
| CloudTrail: ECR Set Repository Policy | N/A | T1578 |
| CloudTrail: ECS Account Setting Changes | N/A | T1578 |
| CloudTrail: ECS Attribute Changes | N/A | T1578 |
| CloudTrail: ECS Cluster Changes | N/A | T1578 |
| CloudTrail: ECS Container Instance Changes | N/A | T1578 |
| CloudTrail: ECS Resource Tag Changes | N/A | T1578 |
| CloudTrail: ECS Service Changes | N/A | T1578 |
| CloudTrail: ECS Task Definition Changes | N/A | T1578 |
| CloudTrail: ECS Task Set Changes | N/A | T1578 |
| CloudTrail: ECS Task State Changes | N/A | T1578 |
| CloudTrail: ECS UpdateContainerAgent | N/A | T1578 |
| CloudTrail: EKS Cluster Changes | N/A | T1578 |
| CloudTrail: EKS Information Discovery | N/A | T1580, T1538, T1526, T1087 |
| CloudTrail: ELB Changes | N/A | T1578 |
| CloudTrail: ELB Information Discovery | N/A | T1580, T1538, T1526, T1087 |
| CloudTrail: ELB Listener Changes | N/A | T1578 |
| CloudTrail: ELB Rule Changes | N/A | T1578 |
| CloudTrail: ELB Target Changes | N/A | T1578 |
| CloudTrail: Glacier Vault Information Discovery | N/A | T1580, T1538, T1526, T1087 |
| CloudTrail: Glacier Vault Changes | N/A | T1578 |
| CloudTrail: IAM Access Key Changes | ISO 27001 A.11.1.1, A.11.2, A.11.4.1, A.12.3.2 | T1578, T1098 |
| CloudTrail: IAM Compromised Key Activity | N/A | N/A |
| CloudTrail: IAM GetAccountAuthorizationDetails | N/A | N/A |
| CloudTrail: IAM Group Changes | ISO 27001 A.11.2, A.11.4.1 | T1578 |
| CloudTrail: IAM Information Discovery | N/A | T1580, T1538, T1526, T1087, T1069 |
| CloudTrail: IAM Instance Profile Changes | N/A | T1578 |
| CloudTrail: IAM Policy Changes | ISO 27001 A.9.2, A.11.2, A.11.4.1 | T1578, T1556 |
| CloudTrail: IAM Role Changes | ISO 27001 A.11.2, A.11.4.1 | T1578 |
| CloudTrail: IAM SAML Changes | N/A | T1578 |
| CloudTrail: IAM SSH Key Changes | ISO 27001 A.11.4.1, A.12.3.2 | T1578, T1098 |
| CloudTrail: IAM User Changes | ISO 27001 A.11.2, A.11.4.1 | T1578, T1531, T1136 |
| CloudTrail: KMS Key Activity | ISO 27001 A.12.3.2 | T1578, T1098 |
| CloudTrail: KMS Key Alias Activity | N/A | T1578, T1098 |
| CloudTrail: Lambda Function Created | N/A | T1578 |
| CloudTrail: Lambda Function Deleted | N/A | T1578 |
| CloudTrail: Lambda Permission Changes | N/A | T1578 |
| CloudTrail: MFA Device Changes | N/A | T1556 |
| CloudTrail: RDS Changes | N/A | T1578 |
| CloudTrail: RDS Information Discovery | N/A | T1580, T1538, T1526, T1087 |
| CloudTrail: Route53 DNS Record Changes | N/A | T1578 |
| CloudTrail: Route53 DNS Zone Created | N/A | T1578 |
| CloudTrail: Route53 DNS Zone Deleted | N/A | T1578 |
| CloudTrail: Route53 ListHostedZones | N/A | N/A |
| CloudTrail: S3 Bucket Policy Changes | ISO 27001 A.18.2 and A.18.1.4 | T1578, T1530 |
| CloudTrail: S3 Create Bucket | N/A | T1578 |
| CloudTrail: S3 Delete Bucket | N/A | T1578 |
| CloudTrail: S3 File Tracking | ISO 27001 A.18.2 and A.18.1.4 | T1578, T1530 |
| CloudTrail: SES Changes | N/A | T1578 |
| CloudTrail: SES Information Discovery | N/A | T1580, T1538, T1526, T1087 |
| CloudTrail: SNS Changes | N/A | T1578 |
| CloudTrail: SNS Information Discovery | N/A | T1580, T1538, T1526, T1087 |
| Cloudtrail: Spot Instances | N/A | T1583, T1578, T1525, T1496 |
| CloudTrail: SQS Changes | N/A | T1578 |
| CloudTrail: SQS Information Discovery | N/A | T1580, T1538, T1526, T1087 |
| CloudTrail: SSM Cancel Command | N/A | N/A |
| CloudTrail: SSM Create Component | N/A | T1578 |
| CloudTrail: SSM Delete Component | N/A | T1578 |
| CloudTrail: SSM Information Discovery | N/A | T1580, T1538, T1526, T1087 |
| CloudTrail: SSM Resume Session | N/A | N/A |
| CloudTrail: SSM Send Command | N/A | N/A |
| CloudTrail: SSM Session Terminated | N/A | N/A |
| CloudTrail: SSM Start Automation Execution | N/A | N/A |
| CloudTrail: SSM Start Session | N/A | N/A |
| CloudTrail: STS AssumeRole | N/A | N/A |
| CloudTrail: STS GetCallerIdentity | N/A | N/A |
| CloudTrail: STS GetFederationToken | ISO 270001 A.11.4.2 | N/A |
| CloudTrail: STS GetSessionToken | N/A | N/A |
| CloudTrail: TransitGateway Activity | N/A | T1578 |
| CloudTrail: VPC ACL Changes | ISO 27001 A.10.6, A.11.1.1, A.11.4.1, A.11.6.1 | T1578 |
| CloudTrail: VPC ACL Information Discovery | N/A | T1580, T1538, T1526, T1087 |
| CloudTrail: VPC Changes | ISO 27001 A.10.6, A.11.4.1, A.11.4.5, A.11.6.2 | T1578 |
| CloudTrail: VPC Information Discovery | N/A | T1580, T1538, T1526, T1087 |
| CloudTrail: VPC Interface Changes | N/A | T1578 |
| CloudTrail: VPC Interface Information Discovery | N/A | T1580, T1538, T1526, T1087 |
| CloudTrail: VPC Route Changes | ISO 27001 A.11.4.7 | T1578 |
| CloudTrail: VPC Subnet Changes | ISO 27001 A.11.4.5, A.11.4.7 | T1578, T1562 |
| CloudTrail: VPC Subnet Information Discovery | N/A | T1580, T1538, T1526, T1087 |
| CloudTrail: WAF Changes | N/A | T1578, T1562 |
| CloudTrail Ruleset | Supports Criteria | MITRE Criteria |
|---|---|---|
| CloudTrail: Access Denied | N/A | T1595 |
| CloudTrail: AWS Kinesis Stream Changes | N/A | T1578 |
| CloudTrail: AWS Network Firewall Changes | N/A | T1578, T1562 |
| CloudTrail: AWS Organizations Activity | N/A | T1578 |
| CloudTrail: AWS Support Case Changes | N/A | T1578 |
| CloudTrail: AWS Support Information Discovery | N/A | T1580, T1538, T1526, T1087 |
| CloudTrail: Certificate Manager Changes | N/A | T1578 |
| CloudTrail: Certificate Manager Information Discovery | N/A | T1580, T1538, T1526, T1087 |
| CloudTrail: CloudTrail Admin Activity | MPAA DS-7.1, DS-7.5, DS-9.0 | T1578, T1562 |
| CloudTrail: Console Login by Root | N/A | T1578, T1078 |
| CloudTrail: Console Login: MFA Not Used | MPAA DS-8.2 | N/A |
| CloudTrail: Console Login: Root Password Change | N/A | T1578 |
| CloudTrail : DirectConnect Information Discovery | N/A | T1580, T1538, T1526, T1087 |
| CloudTrail: DirectConnect Policy Changes | MPAA DS-1.0, DS-1.10 | T1578 |
| CloudTrail: DynamoDB Backup Created | N/A | T1578 |
| CloudTrail: DynamoDB Backup Deleted | N/A | T1578 |
| CloudTrail: DynamoDB Information Discovery | N/A | T1580, T1538, T1526, T1087 |
| CloudTrail: DynamoDB Table Created | N/A | T1578 |
| CloudTrail: DynamoDB Table Deleted | N/A | T1578 |
| CloudTrail: EC2 Information Discovery | N/A | T1580, T1538, T1526, T1087 |
| CloudTrail: EC2 Instance in Non-Standard Region | N/A | T1583, T1578, T1535, T1496 |
| CloudTrail: EC2 KeyPair Changes | N/A | T1578 |
| CloudTrail: EC2 RunInstances | N/A | T1583, T1578, T1525, T1496 |
| CloudTrail: EC2 Security Group Changes | MPAA DS-1.0, DS-1.2 | T1578, T1562 |
| CloudTrail: EC2 Service Changes | N/A | T1578 |
| CloudTrail: EC2 Started with Non-Standard Image ID | N/A | T1583, T1578, T1525 |
| CloudTrail: EC2 Started in Non-Standard VPC | MPAA DS-1.0 and MPAA DS-9.3 | T1583, T1578 |
| CloudTrail: EC2 Wide Open Security Group | MPAA DS-1.0 | T1578, T1562 |
| CloudTrail: ECR Create Repository | N/A | T1578, T1525 |
| CloudTrail: ECR Delete Repository | N/A | T1578 |
| CloudTrail: ECR Image Scan Findings - Severity CRITICAL | N/A | N/A |
| CloudTrail: ECR Image Scan Findings - Severity HIGH | N/A | N/A |
| CloudTrail: ECR Image Scan Findings - Severity MEDIUM | N/A | N/A |
| CloudTrail: ECR Put Image | N/A | T1578, T1525 |
| CloudTrail: ECR Put Image Scanning Configuration | N/A | T1578 |
| CloudTrail: ECR Set Repository Policy | N/A | T1578 |
| CloudTrail: ECS Account Setting Changes | N/A | T1578 |
| CloudTrail: ECS Attribute Changes | N/A | T1578 |
| CloudTrail: ECS Cluster Changes | N/A | T1578 |
| CloudTrail: ECS Container Instance Changes | N/A | T1578 |
| CloudTrail: ECS Resource Tag Changes | N/A | T1578 |
| CloudTrail: ECS Service Changes | N/A | T1578 |
| CloudTrail: ECS Task Definition Changes | N/A | T1578 |
| CloudTrail: ECS Task Set Changes | N/A | T1578 |
| CloudTrail: ECS Task State Changes | N/A | T1578 |
| CloudTrail: ECS UpdateContainerAgent | N/A | T1578 |
| CloudTrail: EKS Cluster Changes | N/A | T1578 |
| CloudTrail: EKS Information Discovery | N/A | T1580, T1538, T1526, T1087 |
| CloudTrail: ELB Changes | MPAA DS-1.0 | T1578 |
| CloudTrail: ELB Information Discovery | N/A | T1580, T1538, T1526, T1087 |
| CloudTrail: ELB Listener Changes | N/A | T1578 |
| CloudTrail: ELB Rule Changes | N/A | T1578 |
| CloudTrail: ELB Target Changes | N/A | T1578 |
| CloudTrail: Glacier Vault Information Discovery | N/A | T1580, T1538, T1526, T1087 |
| CloudTrail: Glacier Vault Changes | N/A | T1578 |
| CloudTrail: IAM Access Key Changes | MPAA DS-7.2 | T1578, T1098 |
| CloudTrail: IAM Compromised Key Activity | N/A | N/A |
| CloudTrail: IAM GetAccountAuthorizationDetails | N/A | N/A |
| CloudTrail: IAM Group Changes | MPAA DS-3.1, DS-3.2, DS-7.0 | T1578 |
| CloudTrail: IAM Information Discovery | N/A | T1580, T1538, T1526, T1087, T1069 |
| CloudTrail: IAM Instance Profile Changes | N/A | T1578 |
| CloudTrail: IAM Policy Changes | MPAA DS-3.1, DS-8.1, DS-8.2 | T1578, T1556 |
| CloudTrail: IAM Role Changes | MPAA DS-3.1, DS-3.2, DS-7.0, DS-7.2 | T1578 |
| CloudTrail: IAM SAML Changes | N/A | T1578 |
| CloudTrail: IAM SSH Key Changes | N/A | T1578, T1098 |
| CloudTrail: IAM User Changes | MPAA DS-3.1, DS-3.2, DS-7.0, DS-7.2, DS-8.2 | T1578, T1531, T1136 |
| CloudTrail: KMS Key Activity | N/A | T1578, T1098 |
| CloudTrail: KMS Key Alias Activity | N/A | T1578, T1098 |
| CloudTrail: Lambda Function Created | N/A | T1578 |
| CloudTrail: Lambda Function Deleted | N/A | T1578 |
| CloudTrail: Lambda Permission Changes | N/A | T1578 |
| CloudTrail: MFA Device Changes | N/A | T1556 |
| CloudTrail: RDS Changes | N/A | T1578 |
| CloudTrail: RDS Information Discovery | N/A | T1580, T1538, T1526, T1087 |
| CloudTrail: Route53 DNS Record Changes | MPAA DS-1.0 | T1578 |
| CloudTrail: Route53 DNS Zone Created | N/A | T1578 |
| CloudTrail: Route53 DNS Zone Deleted | N/A | T1578 |
| CloudTrail: Route53 ListHostedZones | N/A | N/A |
| CloudTrail: S3 Bucket Policy Changes | N/A | T1578, T1530 |
| CloudTrail: S3 Create Bucket | N/A | T1578 |
| CloudTrail: S3 Delete Bucket | N/A | T1578 |
| CloudTrail: S3 File Tracking | N/A | T1578, T1530 |
| CloudTrail: SES Changes | N/A | T1578 |
| CloudTrail: SES Information Discovery | N/A | T1580, T1538, T1526, T1087 |
| CloudTrail: SNS Changes | N/A | T1578 |
| CloudTrail: SNS Information Discovery | N/A | T1580, T1538, T1526, T1087 |
| Cloudtrail: Spot Instances | N/A | T1583, T1578, T1525, T1496 |
| CloudTrail: SQS Changes | N/A | T1578 |
| CloudTrail: SQS Information Discovery | N/A | T1580, T1538, T1526, T1087 |
| CloudTrail: SSM Cancel Command | N/A | N/A |
| CloudTrail: SSM Create Component | N/A | T1578 |
| CloudTrail: SSM Delete Component | N/A | T1578 |
| CloudTrail: SSM Information Discovery | N/A | T1580, T1538, T1526, T1087 |
| CloudTrail: SSM Resume Session | N/A | N/A |
| CloudTrail: SSM Send Command | N/A | N/A |
| CloudTrail: SSM Session Terminated | N/A | N/A |
| CloudTrail: SSM Start Automation Execution | N/A | N/A |
| CloudTrail: SSM Start Session | N/A | N/A |
| CloudTrail: STS AssumeRole | N/A | N/A |
| CloudTrail: STS GetCallerIdentity | N/A | N/A |
| CloudTrail: STS GetFederationToken | N/A | N/A |
| CloudTrail: STS GetSessionToken | N/A | N/A |
| CloudTrail: TransitGateway Activity | N/A | T1578 |
| CloudTrail: VPC ACL Changes | MPAA DS-1.2 | T1578 |
| CloudTrail: VPC ACL Information Discovery | N/A | T1580, T1538, T1526, T1087 |
| CloudTrail: VPC Changes | MPAA DS-1.0 | T1578 |
| CloudTrail: VPC Information Discovery | N/A | T1580, T1538, T1526, T1087 |
| CloudTrail: VPC Interface Changes | N/A | T1578 |
| CloudTrail: VPC Interface Information Discovery | N/A | T1580, T1538, T1526, T1087 |
| CloudTrail: VPC Route Changes | N/A | T1578 |
| CloudTrail: VPC Subnet Changes | N/A | T1578, T1562 |
| CloudTrail: VPC Subnet Information Discovery | N/A | T1580, T1538, T1526, T1087 |
| CloudTrail: WAF Changes | N/A | T1578, T1562 |
| CloudTrail Ruleset | Supports Criteria | MITRE Criteria |
|---|---|---|
| CloudTrail: Access Denied | N/A | T1595 |
| CloudTrail: AWS Kinesis Stream Changes | N/A | T1578 |
| CloudTrail: AWS Network Firewall Changes | N/A | T1578, T1562 |
| CloudTrail: AWS Organizations Activity | N/A | T1578 |
| CloudTrail: AWS Support Case Changes | N/A | T1578 |
| CloudTrail: AWS Support Information Discovery | N/A | T1580, T1538, T1526, T1087 |
| CloudTrail: Certificate Manager Changes | PCI 10.1, 10.2, and 10.3 | T1578 |
| CloudTrail: Certificate Manager Information Discovery | N/A | T1580, T1538, T1526, T1087 |
| CloudTrail: CloudTrail Admin Activity | PCI 10.1, 10.2, 10.3, 10.5, and 10.6 | T1578, T1562 |
| CloudTrail: Console Login by Root | PCI 10.1, 10.2, and 10.3 | T1578, T1078 |
| CloudTrail: Console Login: MFA Not Used | PCI 10.1, 10.2, and 10.3 | N/A |
| CloudTrail: Console Login: Root Password Change | PCI 10.1, 10.2, and 10.3 | T1578 |
| CloudTrail: DirectConnect Information Discovery | N/A | T1580, T1538, T1526, T1087 |
| CloudTrail: DirectConnect Policy Changes | N/A | T1578 |
| CloudTrail: DynamoDB Backup Created | N/A | T1578 |
| CloudTrail: DynamoDB Backup Deleted | N/A | T1578 |
| CloudTrail: DynamoDB Information Discovery | N/A | T1580, T1538, T1526, T1087 |
| CloudTrail: DynamoDB Table Created | N/A | T1578 |
| CloudTrail: DynamoDB Table Deleted | N/A | T1578 |
| CloudTrail: EC2 Information Discovery | N/A | T1580, T1538, T1526, T1087 |
| CloudTrail: EC2 Instance in Non-Standard Region | N/A | T1583, T1578, T1535, T1496 |
| CloudTrail: EC2 KeyPair Changes | PCI 10.1, 10.2, and 10.3 | T1578 |
| CloudTrail: EC2 RunInstances | N/A | T1583, T1578, T1525, T1496 |
| CloudTrail: EC2 Security Group Changes | PCI 10.1, 10.2, and 10.3 | T1578, T1562 |
| CloudTrail: EC2 Service Changes | PCI 10.1, 10.2, and 10.3 | T1578 |
| CloudTrail: EC2 Started with Non-Standard Image ID | PCI 10.1, 10.2, and 10.3 | T1583, T1578, T1525 |
| CloudTrail: EC2 Started in Non-Standard VPC | PCI 10.1, 10.2, and 10.3 | T1583, T1578 |
| CloudTrail: EC2 Wide Open Security Group | PCI 10.1, 10.2, and 10.3 | T1578, T1562 |
| CloudTrail: ECR Create Repository | N/A | T1578, T1525 |
| CloudTrail: ECR Delete Repository | N/A | T1578 |
| CloudTrail: ECR Image Scan Findings - Severity CRITICAL | N/A | N/A |
| CloudTrail: ECR Image Scan Findings - Severity HIGH | N/A | N/A |
| CloudTrail: ECR Image Scan Findings - Severity MEDIUM | N/A | N/A |
| CloudTrail: ECR Put Image | N/A | T1578, T1525 |
| CloudTrail: ECR Put Image Scanning Configuration | N/A | T1578 |
| CloudTrail: ECR Set Repository Policy | N/A | T1578 |
| CloudTrail: ECS Account Setting Changes | N/A | T1578 |
| CloudTrail: ECS Attribute Changes | N/A | T1578 |
| CloudTrail: ECS Cluster Changes | N/A | T1578 |
| CloudTrail: ECS Container Instance Changes | N/A | T1578 |
| CloudTrail: ECS Resource Tag Changes | N/A | T1578 |
| CloudTrail: ECS Service Changes | N/A | T1578 |
| CloudTrail: ECS Task Definition Changes | N/A | T1578 |
| CloudTrail: ECS Task Set Changes | N/A | T1578T1578 |
| CloudTrail: ECS Task State Changes | N/A | T1578 |
| CloudTrail: ECS UpdateContainerAgent | N/A | T1578 |
| CloudTrail: EKS Cluster Changes | N/A | T1578 |
| CloudTrail: EKS Information Discovery | N/A | T1580, T1538, T1526, T1087 |
| CloudTrail: ELB Changes | N/A | T1578 |
| CloudTrail: ELB Information Discovery | N/A | T1580, T1538, T1526, T1087 |
| CloudTrail: ELB Listener Changes | N/A | T1578 |
| CloudTrail: ELB Rule Changes | N/A | T1578 |
| CloudTrail: ELB Target Changes | N/A | T1578 |
| CloudTrail: Glacier Vault Information Discovery | N/A | T1580, T1538, T1526, T1087 |
| CloudTrail: Glacier Vault Changes | N/A | T1578 |
| CloudTrail: IAM Access Key Changes | PCI 10.1, 10.2, 10.3, and 10.6 | T1578, T1098 |
| CloudTrail: IAM Compromised Key Activity | N/A | N/A |
| CloudTrail: IAM GetAccountAuthorizationDetails | PCI 10.1, 10.2, 10.3, and 10.6 | N/A |
| CloudTrail: IAM Group Changes | PCI 10.1, 10.2, 10.3, and 10.6 | T1578 |
| CloudTrail: IAM Information Discovery | N/A | T1580, T1538, T1526, T1087, T1069 |
| CloudTrail: IAM Instance Profile Changes | PCI 10.1, 10.2, 10.3, and 10.6 | T1578 |
| CloudTrail: IAM Policy Changes | PCI 10.1, 10.2, 10.3, and 10.6 | T1578, T1556 |
| CloudTrail: IAM Role Changes | PCI 10.1, 10.2, 10.3, and 10.6 | T1578 |
| CloudTrail: IAM SAML Changes | PCI 10.1, 10.2, 10.3, and 10.6 | T1578 |
| CloudTrail: IAM SSH Key Changes | PCI 10.1, 10.2, 10.3, and 10.6 | T1578, T1098 |
| CloudTrail: IAM User Changes | PCI 10.1, 10.2, 10.3, and 10.6 | T1578, T1531, T1136 |
| CloudTrail: KMS Key Activity | N/A | T1578, T1098 |
| CloudTrail: KMS Key Alias Activity | N/A | T1578, T1098 |
| CloudTrail: Lambda Function Created | N/A | T1578 |
| CloudTrail: Lambda Function Deleted | N/A | T1578 |
| CloudTrail: Lambda Permission Changes | N/A | T1578 |
| CloudTrail: MFA Device Changes | N/A | T1556 |
| CloudTrail: RDS Changes | N/A | T1578 |
| CloudTrail: RDS Information Discovery | N/A | T1580, T1538, T1526, T1087 |
| CloudTrail: Route53 DNS Record Changes | N/A | T1578 |
| CloudTrail: Route53 DNS Zone Created | N/A | T1578 |
| CloudTrail: Route53 DNS Zone Deleted | N/A | T1578 |
| CloudTrail: Route53 ListHostedZones | N/A | N/A |
| CloudTrail: S3 Bucket Policy Changes | PCI 11.5 | T1578, T1530 |
| CloudTrail: S3 Create Bucket | PCI 11.5 | T1578 |
| CloudTrail: S3 Delete Bucket | PCI 11.5 | T1578 |
| CloudTrail: S3 File Tracking | PCI 11.5 | T1578, T1530 |
| CloudTrail: SES Changes | N/A | T1578 |
| CloudTrail: SES Information Discovery | N/A | T1580, T1538, T1526, T1087 |
| CloudTrail: SNS Changes | N/A | T1578 |
| CloudTrail: SNS Information Discovery | N/A | T1580, T1538, T1526, T1087 |
| Cloudtrail: Spot Instances | N/A | T1583, T1578, T1525, T1496 |
| CloudTrail: SQS Changes | N/A | T1578 |
| CloudTrail: SQS Information Discovery | N/A | T1580, T1538, T1526, T1087 |
| CloudTrail: SSM Cancel Command | N/A | N/A |
| CloudTrail: SSM Create Component | N/A | T1578 |
| CloudTrail: SSM Delete Component | N/A | T1578 |
| CloudTrail: SSM Information Discovery | N/A | T1580, T1538, T1526, T1087 |
| CloudTrail: SSM Resume Session | N/A | N/A |
| CloudTrail: SSM Send Command | N/A | N/A |
| CloudTrail: SSM Session Terminated | N/A | N/A |
| CloudTrail: SSM Start Automation Execution | N/A | N/A |
| CloudTrail: SSM Start Session | N/A | N/A |
| CloudTrail: STS AssumeRole | PCI 10.1, 10.2, 10.3, and 10.6 | N/A |
| CloudTrail: STS GetCallerIdentity | N/A | N/A |
| CloudTrail: STS GetFederationToken | PCI 10.1, 10.2, 10.3, and 10.6 | N/A |
| CloudTrail: STS GetSessionToken | PCI 10.1, 10.2, 10.3, and 10.6 | N/A |
| CloudTrail: TransitGateway Activity | N/A | T1578 |
| CloudTrail: VPC ACL Changes | PCI 10.1, 10.2, and 10.3 | T1578 |
| CloudTrail: VPC ACL Information Discovery | N/A | T1580, T1538, T1526, T1087 |
| CloudTrai: VPC Changes | PCI 10.1, 10.2, and 10.3 | T1578 |
| CloudTrail: VPC Information Discovery | N/A | T1580, T1538, T1526, T1087 |
| CloudTrail: VPC Interface Changes | PCI 10.1, 10.2, and 10.3 | T1578 |
| CloudTrail: VPC Interface Information Discovery | N/A | T1580, T1538, T1526, T1087 |
| CloudTrail: VPC Route Changes | PCI 10.1, 10.2, and 10.3 | T1578 |
| CloudTrail: VPC Subnet Changes | PCI 10.1, 10.2, and 10.3 | T1578, T1562 |
| CloudTrail: VPC Subnet Information Discovery | N/A | T1580, T1538, T1526, T1087 |
| CloudTrail: WAF Changes | N/A | T1578, T1562 |
| CloudTrail Ruleset | Supports Criteria | MITRE |
|---|---|---|
| CloudTrail: Access Denied | N/A | T1595 |
| CloudTrail: AWS Kinesis Stream Changes | N/A | T1578 |
| CloudTrail: AWS Network Firewall Changes | N/A | T1578, T1562 |
| CloudTrail: AWS Organizations Activity | N/A | T1578 |
| CloudTrail: AWS Support Case Changes | N/A | T1578 |
| CloudTrail: AWS Support Information Discovery | N/A | T1580, T1538, T1526, T1087 |
| CloudTrail: Certificate Manager Changes | SOC-2 (CC 4.1, 4.2, 5.3, 6.1, 7.2, 7.3, 7.4, 7.5, 8.1 & C 1.2) | T1578 |
| CloudTrail: Certificate Manager Information Discovery | N/A | T1580, T1538, T1526, T1087 |
| CloudTrail: CloudTrail Admin Activity | SOC-2 (CC 4.1, 4.2, 5.3, 6.1, 7.2, 7.3, 7.4, 7.5, 8.1 & C 1.2) | T1578, T1562 |
| CloudTrail: Console Login by Root | SOC-2 (CC 4.1, 4.2, 5.3, 6.1, 7.2, 7.3, 7.4, 7.5, 8.1 & C 1.2) | T1578, T1078 |
| CloudTrail: Console Login: MFA Not Used | SOC-2 (CC 4.1, 4.2, 5.3, 6.1, 7.2, 7.3, 7.4, 7.5, 8.1 & C 1.2) | N/A |
| CloudTrail: Console Login: Root Password Change | SOC-2 (CC 4.1, 4.2, 5.3, 6.1, 7.2, 7.3, 7.4, 7.5, 8.1 & C 1.2) | T1578 |
| CloudTrail : DirectConnect Information Discovery | N/A | T1580, T1538, T1526, T1087 |
| CloudTrail: DirectConnect Policy Changes | N/A | T1578 |
| CloudTrail: DynamoDB Backup Created | N/A | T1578 |
| CloudTrail: DynamoDB Backup Deleted | N/A | T1578 |
| CloudTrail: DynamoDB Information Discovery | N/A | T1580, T1538, T1526, T1087 |
| CloudTrail: DynamoDB Table Created | N/A | T1578 |
| CloudTrail: DynamoDB Table Deleted | N/A | T1578 |
| CloudTrail: EC2 Information Discovery | N/A | T1580, T1538, T1526, T1087 |
| CloudTrail: EC2 Instance in Non-Standard Region | N/A | T1583, T1578, T1535, T1496 |
| CloudTrail: EC2 KeyPair Changes | SOC-2 (CC 4.1, 4.2, 5.3, 6.1, 7.2, 7.3, 7.4, 7.5, 8.1 & C 1.2) | T1578 |
| CloudTrail: EC2 RunInstances | N/A | T1583, T1578, T1525, T1496 |
| CloudTrail: EC2 Security Group Changes | SOC-2 (CC 4.1, 4.2, 5.3, 6.1, 7.2, 7.3, 7.4, 7.5, 8.1 & C 1.2) | T1578, T1562 |
| CloudTrail: EC2 Service Changes | SOC-2 (CC 4.1, 4.2, 5.3, 6.1, 7.2, 7.3, 7.4, 7.5, 8.1 & C 1.2) | T1578 |
| CloudTrail: EC2 Started with Non-Standard Image ID | SOC-2 (CC 4.1, 4.2, 5.3, 6.1, 7.2, 7.3, 7.4, 7.5, 8.1 & C 1.2) | T1583, T1578, T1525 |
| CloudTrail: EC2 Started in Non-Standard VPC | SOC-2 (CC 4.1, 4.2, 5.3, 6.1, 7.2, 7.3, 7.4, 7.5, 8.1 & C 1.2) | T1583, T1578 |
| CloudTrail: EC2 Wide Open Security Group | SOC-2 (CC 4.1, 4.2, 5.3, 6.1, 7.2, 7.3, 7.4, 7.5, 8.1 & C 1.2) | T1578, T1562 |
| CloudTrail: ECR Create Repository | N/A | T1578, T1525 |
| CloudTrail: ECR Delete Repository | N/A | T1578 |
| CloudTrail: ECR Image Scan Findings - Severity CRITICAL | N/A | N/A |
| CloudTrail: ECR Image Scan Findings - Severity HIGH | N/A | N/A |
| CloudTrail: ECR Image Scan Findings - Severity MEDIUM | N/A | N/A |
| CloudTrail: ECR Put Image | N/A | T1578, T1525 |
| CloudTrail: ECR Put Image Scanning Configuration | N/A | T1578 |
| CloudTrail: ECR Set Repository Policy | N/A | T1578 |
| CloudTrail: ECS Account Setting Changes | N/A | T1578 |
| CloudTrail: ECS Attribute Changes | N/A | T1578 |
| CloudTrail: ECS Cluster Changes | N/A | T1578 |
| CloudTrail: ECS Container Instance Changes | N/A | T1578 |
| CloudTrail: ECS Resource Tag Changes | N/A | T1578 |
| CloudTrail: ECS Service Changes | N/A | T1578 |
| CloudTrail: ECS Task Definition Changes | N/A | T1578 |
| CloudTrail: ECS Task Set Changes | N/A | T1578 |
| CloudTrail: ECS Task State Changes | N/A | T1578 |
| CloudTrail: ECS UpdateContainerAgent | N/A | T1578 |
| CloudTrail: EKS Cluster Changes | N/A | T1578 |
| CloudTrail: EKS Information Discovery | N/A | T1580, T1538, T1526, T1087 |
| CloudTrail: ELB Changes | N/A | T1578 |
| CloudTrail: ELB Information Discovery | N/A | T1580, T1538, T1526, T1087 |
| CloudTrail: ELB Listener Changes | N/A | T1578 |
| CloudTrail: ELB Rule Changes | N/A | T1578 |
| CloudTrail: ELB Target Changes | N/A | T1578 |
| CloudTrail: Glacier Vault Information Discovery | N/A | T1580, T1538, T1526, T1087 |
| CloudTrail: Glacier Vault Changes | N/A | T1578 |
| CloudTrail: IAM Access Key Changes | SOC-2 (CC 4.1, 4.2, 5.3, 6.1, 7.2, 7.3, 7.4, 7.5, 8.1 & C 1.2) | T1578, T1098 |
| CloudTrail: IAM Compromised Key Activity | N/A | N/A |
| CloudTrail: IAM GetAccountAuthorizationDetails | SOC-2 (CC 4.1, 4.2, 5.3, 6.1, 7.2, 7.3, 7.4, 7.5, 8.1 & C 1.2) | N/A |
| CloudTrail: IAM Group Changes | SOC-2 (CC 4.1, 4.2, 5.3, 6.1, 7.2, 7.3, 7.4, 7.5, 8.1 & C 1.2) | T1578 |
| CloudTrail: IAM Information Discovery | N/A | T1580, T1538, T1526, T1087, T1069 |
| CloudTrail: IAM Instance Profile Changes | SOC-2 (CC 4.1, 4.2, 5.3, 6.1, 7.2, 7.3, 7.4, 7.5, 8.1 & C 1.2) | T1578 |
| CloudTrail: IAM Policy Changes | SOC-2 (CC 4.1, 4.2, 5.3, 6.1, 7.2, 7.3, 7.4, 7.5, 8.1 & C 1.2) | T1578, T1556 |
| CloudTrail: IAM Role Changes | SOC-2 (CC 4.1, 4.2, 5.3, 6.1, 7.2, 7.3, 7.4, 7.5, 8.1 & C 1.2) | T1578 |
| CloudTrail: IAM SAML Changes | SOC-2 (CC 4.1, 4.2, 5.3, 6.1, 7.2, 7.3, 7.4, 7.5, 8.1 & C 1.2) | T1578 |
| CloudTrail: IAM SSH Key Changes | SOC-2 (CC 4.1, 4.2, 5.3, 6.1, 7.2, 7.3, 7.4, 7.5, 8.1 & C 1.2) | T1578, T1098 |
| CloudTrail: IAM User Changes | SOC-2 (CC 4.1, 4.2, 5.3, 6.1, 7.2, 7.3, 7.4, 7.5, 8.1 & C 1.2) | T1578, T1531, T1136 |
| CloudTrail: KMS Key Activity | N/A | T1578, T1098 |
| CloudTrail: KMS Key Alias Activity | N/A | T1578, T1098 |
| CloudTrail: Lambda Function Created | N/A | T1578T1578 |
| CloudTrail: Lambda Function Deleted | N/A | T1578 |
| CloudTrail: Lambda Permission Changes | N/A | T1578 |
| CloudTrail: MFA Device Changes | N/A | T1556 |
| CloudTrail: RDS Changes | N/A | T1578 |
| CloudTrail: RDS Information Discovery | N/A | T1580, T1538, T1526, T1087 |
| CloudTrail: Route53 DNS Record Changes | SOC-2 (CC 4.1, 4.2, 5.3, 6.1, 7.2, 7.3, 7.4, 7.5, 8.1 & C 1.2) | T1578 |
| CloudTrail: Route53 DNS Zone Created | SOC-2 (CC 4.1, 4.2, 5.3, 6.1, 7.2, 7.3, 7.4, 7.5, 8.1 & C 1.2) | T1578 |
| CloudTrail: Route53 DNS Zone Deleted | SOC-2 (CC 4.1, 4.2, 5.3, 6.1, 7.2, 7.3, 7.4, 7.5, 8.1 & C 1.2) | T1578 |
| CloudTrail: Route53 ListHostedZones | N/A | N/A |
| CloudTrail: S3 Bucket Policy Changes | SOC-2 (CC 4.1, 4.2, 5.3, 6.1, 7.2, 7.3, 7.4, 7.5, 8.1 & C 1.2) | T1578, T1530 |
| CloudTrail: S3 Create Bucket | SOC-2 (CC 4.1, 4.2, 5.3, 6.1, 7.2, 7.3, 7.4, 7.5, 8.1 & C 1.2) | T1578 |
| CloudTrail: S3 Delete Bucket | SOC-2 (CC 4.1, 4.2, 5.3, 6.1, 7.2, 7.3, 7.4, 7.5, 8.1 & C 1.2) | T1578 |
| CloudTrail: S3 File Tracking | SOC-2 (CC 4.1, 4.2, 5.3, 6.1, 7.2, 7.3, 7.4, 7.5, 8.1 & C 1.2) | T1578, T1530 |
| CloudTrail: SES Changes | N/A | T1578 |
| CloudTrail: SES Information Discovery | N/A | T1580, T1538, T1526, T1087 |
| CloudTrail: SNS Changes | N/A | T1578 |
| CloudTrail: SNS Information Discovery | N/A | T1580, T1538, T1526, T1087 |
| Cloudtrail: Spot Instances | N/A | T1583, T1578, T1525, T1496 |
| CloudTrail: SQS Changes | N/A | T1578 |
| CloudTrail: SQS Information Discovery | N/A | T1580, T1538, T1526, T1087 |
| CloudTrail: SSM Cancel Command | N/A | N/A |
| CloudTrail: SSM Create Component | N/A | T1578 |
| CloudTrail: SSM Delete Component | N/A | T1578 |
| CloudTrail: SSM Information Discovery | N/A | T1580, T1538, T1526, T1087 |
| CloudTrail: SSM Resume Session | N/A | N/A |
| CloudTrail: SSM Send Command | N/A | N/A |
| CloudTrail: SSM Session Terminated | N/A | N/A |
| CloudTrail: SSM Start Automation Execution | N/A | N/A |
| CloudTrail: SSM Start Session | N/A | N/A |
| CloudTrail: STS AssumeRole | SOC-2 (CC 4.1, 4.2, 5.3, 6.1, 7.2, 7.3, 7.4, 7.5, 8.1 & C 1.2) | N/A |
| CloudTrail: STS GetCallerIdentity | N/A | N/A |
| CloudTrail: STS GetFederationToken | SOC-2 (CC 4.1, 4.2, 5.3, 6.1, 7.2, 7.3, 7.4, 7.5, 8.1 & C 1.2) | N/A |
| CloudTrail: STS GetSessionToken | SOC-2 (CC 4.1, 4.2, 5.3, 6.1, 7.2, 7.3, 7.4, 7.5, 8.1 & C 1.2) | N/A |
| CloudTrail: TransitGateway Activity | N/A | T1578 |
| CloudTrail: VPC ACL Changes | SOC-2 (CC 4.1, 4.2, 5.3, 6.1, 7.2, 7.3, 7.4, 7.5, 8.1 & C 1.2) | T1578 |
| CloudTrail: VPC ACL Information Discovery | N/A | T1580, T1538, T1526, T1087 |
| CloudTrail: VPC Changes | SOC-2 (CC 4.1, 4.2, 5.3, 6.1, 7.2, 7.3, 7.4, 7.5, 8.1 & C 1.2) | T1578 |
| CloudTrail: VPC Information Discovery | N/A | T1580, T1538, T1526, T1087 |
| CloudTrail: VPC Interface Changes | SOC-2 (CC 4.1, 4.2, 5.3, 6.1, 7.2, 7.3, 7.4, 7.5, 8.1 & C 1.2) | T1578 |
| CloudTrail: VPC Interface Information Discovery | N/A | T1580, T1538, T1526, T1087 |
| CloudTrail: VPC Route Changes | SOC-2 (CC 4.1, 4.2, 5.3, 6.1, 7.2, 7.3, 7.4, 7.5, 8.1 & C 1.2) | T1578 |
| CloudTrail: VPC Subnet Changes | SOC-2 (CC 4.1, 4.2, 5.3, 6.1, 7.2, 7.3, 7.4, 7.5, 8.1 & C 1.2) | T1578, T1562 |
| CloudTrail: VPC Subnet Information Discovery | N/A | T1580, T1538, T1526, T1087 |
| CloudTrail: WAF Changes | N/A | T1578, T1562 |