CloudTrail Ruleset Compliance Matrix

 

CloudTrail Rulesets Overview

App Infrastructure Protection (AIP) provides a CloudTrail Ruleset to help you get started on your security journey. We recognize that the CloudTrail Ruleset may not meet your organization's specific needs and so we created alternate compliance rulesets based on:

  • HIPAA
  • ISO 27001
  • MPAA
  • PCI
  • SOC2

AIP also uses rules in the base ruletset to mitigate risky activity recognized by the MITRE ATT&CK Matrices.

CloudTrail Rulesets

To help clarify how these other compliance rulesets compare to the CloudTrail Base Ruleset, we created comparison charts for each compliance ruleset.

HIPAA ISO 27001 MPAA PCI SOC2
CloudTrail Ruleset Supports Criteria  MITRE Criteria
CloudTrail: Access Denied N/A T1595
CloudTrail: AWS Kinesis Stream Changes N/A T1578
CloudTrail: AWS Network Firewall Changes N/A T1578, T1562
CloudTrail: AWS Organizations Activity N/A T1578
CloudTrail: AWS Support Case Changes N/A T1578
CloudTrail: AWS Support Information Discovery N/A T1580, T1538, T1526, T1087
CloudTrail: Certificate Manager Changes N/A T1578
CloudTrail: Certificate Manager Information Discovery N/A T1580, T1538, T1526, T1087
CloudTrail: CloudTrail Admin Activity N/A T1578, T1562
CloudTrail: Console Login by Root HIPAA 164.308(a)(5)(ii)(C) T1578, T1078
CloudTrail: Console Login: MFA Not Used HIPAA 164.308(a)(5)(ii)(C) N/A
CloudTrail: Console Login: Root Password Change HIPAA 164.308(a)(5)(ii)(D) T1578
CloudTrail: DirectConnect Information Discovery N/A T1580, T1538, T1526, T1087
CloudTrail: DirectConnect Policy Changes N/A T1578
CloudTrail: DynamoDB Backup Created N/A T1578
CloudTrail: DynamoDB Backup Deleted N/A  
CloudTrail: DynamoDB Information Discovery N/A T1580, T1538, T1526, T1087
CloudTrail: DynamoDB Table Created N/A T1578
CloudTrail: DynamoDB Table Deleted N/A T1578
CloudTrail: EC2 Information Discovery N/A T1580, T1538, T1526, T1087
CloudTrail: EC2 Instance in Non-Standard Region N/A T1583, T1578, T1535, T1496
CloudTrail: EC2 KeyPair Changes HIPAA 164.312(c)(1) T1578
CloudTrail: EC2 RunInstances N/A T1583, T1578, T1525, T1496
CloudTrail: EC2 Security Group Changes HIPAA 164.312(c)(1) T1578, T1562
CloudTrail: EC2 Service Changes HIPAA 164.312(c)(1) T1578
CloudTrail: EC2 Started with Non-Standard Image ID HIPAA 164.312(c)(1) T1583, T1578, T1525
CloudTrail: EC2 Started in Non-Standard VPC HIPAA 164.312(c)(1) T1583, T1578
CloudTrail: EC2 Wide Open Security Group HIPAA 164.312(c)(1) T1578, T1562
CloudTrail: ECR Create Repository N/A T1578, T1525
CloudTrail: ECR Delete Repository N/A T1578
CloudTrail: ECR Image Scan Findings - Severity CRITICAL N/A N/A
CloudTrail: ECR Image Scan Findings - Severity HIGH N/A N/A
CloudTrail: ECR Image Scan Findings - Severity MEDIUM N/A N/A
CloudTrail: ECR Put Image N/A T1578, T1525
CloudTrail: ECR Put Image Scanning Configuration N/A T1578
CloudTrail: ECR Set Repository Policy N/A T1578
CloudTrail: ECS Account Setting Changes N/A T1578
CloudTrail: ECS Attribute Changes N/A T1578
CloudTrail: ECS Cluster Changes N/A T1578
CloudTrail: ECS Container Instance Changes N/A T1578
CloudTrail: ECS Resource Tag Changes N/A T1578
CloudTrail: ECS Service Changes N/A T1578
CloudTrail: ECS Task Definition Changes N/A T1578
CloudTrail: ECS Task Set Changes N/A T1578
CloudTrail: ECS Task State Changes N/A T1578
CloudTrail: ECS UpdateContainerAgent N/A T1578
CloudTrail: EKS Cluster Changes N/A T1578
CloudTrail: EKS Information Discovery N/A T1580, T1538, T1526, T1087
CloudTrail: ELB Changes N/A T1578
CloudTrail: ELB Information Discovery N/A T1580, T1538, T1526, T1087
CloudTrail: ELB Listener Changes N/A T1578
CloudTrail: ELB Rule Changes N/A T1578
CloudTrail: ELB Target Changes N/A T1578
CloudTrail: Glacier Vault Information Discovery N/A T1580, T1538, T1526, T1087
CloudTrail: Glacier Vault Changes N/A T1578
CloudTrail: IAM Access Key Changes N/A T1578, T1098
CloudTrail: IAM Compromised Key Activity N/A N/A
CloudTrail: IAM GetAccountAuthorizationDetails N/A N/A
CloudTrail: IAM Group Changes N/A T1578
CloudTrail: IAM Information Discovery N/A T1580, T1538, T1526, T1087, T1069
CloudTrail: IAM Instance Profile Changes N/A T1578
CloudTrail: IAM Policy Changes N/A T1578, T1556
CloudTrail: IAM Role Changes N/A T1578
CloudTrail: IAM SAML Changes N/A T1578
CloudTrail: IAM SSH Key Changes N/A T1578, T1098
CloudTrail: IAM User Changes N/A T1578, T1531, T1136
CloudTrail: KMS Key Activity N/A T1578, T1098
CloudTrail: KMS Key Alias Activity N/A T1578, T1098
CloudTrail: Lambda Function Created N/A T1578
CloudTrail: Lambda Function Deleted N/A T1578
CloudTrail: Lambda Permission Changes N/A T1578
CloudTrail: MFA Device Changes N/A T1556
CloudTrail: RDS Changes N/A T1578
CloudTrail: RDS Information Discovery N/A T1580, T1538, T1526, T1087
CloudTrail: Route53 DNS Record Changes N/A T1578
CloudTrail: Route53 DNS Zone Created N/A T1578
CloudTrail: Route53 DNS Zone Deleted N/A T1578
CloudTrail: Route53 ListHostedZones N/A N/A
CloudTrail: S3 Bucket Policy Changes HIPAA 164.312(c)(1) T1578, T1530
CloudTrail: S3 Create Bucket HIPAA 164.312(c)(1) T1578
CloudTrail: S3 Delete Bucket HIPAA 164.312(c)(1) T1578
CloudTrail: S3 File Tracking HIPAA 164.312(c)(1) T1578, T1530
CloudTrail: SES Changes N/A T1578
CloudTrail: SES Information Discovery N/A T1580, T1538, T1526, T1087
CloudTrail: SNS Changes N/A T1578
CloudTrail: SNS Information Discovery N/A T1580, T1538, T1526, T1087
Cloudtrail: Spot Instances N/A T1583, T1578, T1525, T1496
CloudTrail: SQS Changes N/A T1578
CloudTrail: SQS Information Discovery N/A T1580, T1538, T1526, T1087
CloudTrail: SSM Cancel Command N/A N/A
CloudTrail: SSM Create Component N/A T1578
CloudTrail: SSM Delete Component N/A T1578
CloudTrail: SSM Information Discovery N/A T1580, T1538, T1526, T1087
CloudTrail: SSM Resume Session N/A N/A
CloudTrail: SSM Send Command N/A N/A
CloudTrail: SSM Session Terminated N/A N/A
CloudTrail: SSM Start Automation Execution N/A N/A
CloudTrail: SSM Start Session N/A N/A
CloudTrail: STS AssumeRole N/A N/A
CloudTrail: STS GetCallerIdentity N/A N/A
CloudTrail: STS GetFederationToken N/A N/A
CloudTrail: STS GetSessionToken N/A N/A
CloudTrail: TransitGateway Activity N/A T1578
CloudTrail: VPC ACL Changes N/A T1578
CloudTrail: VPC ACL Information Discovery N/A T1580, T1538, T1526, T1087
CloudTrail: VPC Changes N/A T1578
CloudTrail: VPC Information Discovery N/A T1580, T1538, T1526, T1087
CloudTrail: VPC Interface Changes N/A T1578
CloudTrail: VPC Interface Information Discovery N/A T1580, T1538, T1526, T1087
CloudTrail: VPC Route Changes N/A T1578
CloudTrail: VPC Subnet Changes N/A T1578, T1562
CloudTrail: VPC Subnet Information Discovery N/A T1580, T1538, T1526, T1087
CloudTrail: WAF Changes N/A T1578, T1562
 

Related Articles

Was this article helpful?
0 out of 0 found this helpful