CTS Trackers Comply with Security Best Practices

Rule Details

Applicable Scenario

CTS records operations on cloud resources in your account. You can use the traces to perform security analysis, track resource changes, audit compliance, and locate faults. Security best practices must be met to avoid trace files loss, tampering, or disclosure.

• Trace file verification: When this function is enabled, integrity verification will be performed to check whether trace files in OBS buckets have been tampered with.
• Trace file encryption: After enabling trace transfer, you can use Data Encryption Workshop (DEW) to encrypt trace files stored in OBS buckets.
• Trace transfer to LTS: When this function is enabled, traces are transferred to a specified OBS bucket.

Solution

You can enable trace file verification, encryption, and transfer to LTS on CTS console. For details, see Configuring a Tracker.

Rule Logic

• If Verify Trace File, Encrypt Trace File, and Transfer to LTS are all enabled for a CTS tracker, this tracker is considered to comply with security best practices.
• When no regions are specified, the current account is compliant if there is any tracker that complies with the security best practices.
• When no regions are specified, the current account is noncompliant if there are no trackers that comply with the security best practices.
• When one or more regions are specified, the current account is compliant if there is any tracker that complies with the security best practices in any of the specified regions.
• When one or more regions are specified, the current account is noncompliant if there are no trackers that comply with the security best practices in any of the specified regions.

Constraints

If an organization CTS tracker is involved, and this rule is triggered with a member account from this organization, there may be a lag of up to 24 hours in updating the evaluating results due to the delay in collecting tracker resources deployed by the organization administrator.