Help Center
Go back to application
Help Center
Go back to application
Platform Terms Glossary
Task Management
Task Management explained Creating Tasks Setting up Task NotificationsGiving permissions to team members
Organization
Working together in KertosInviting UsersCreating rolesAssigning System AccessCreating Departments and Assigning Users
Integrations
Discovery
Tasks
Device Management
Human Resource Information Systems
Inventory
Inventorization of vendorsInventorization of systemsInventorization of assetsEU AI Act: Inventorization of AI use cases
Risks
Managing risksApplying controls to risks
Trust Center
Setting up your trust center
Incidents
Reporting incidents
KAIA
KAIA explainedPrinciples of AI at Kertos
Interacting with KAIA
Compliance
Frameworks explainedManaging & implementing controlsCreating & managing policiesCompleting & assigning trainings
Privacy Management
Creating a RoPACreating TOMsCreating DPIAs
Data Subject Requests
API Reference
Ingress API Docs for DSRs Webhook API Docs for DSRs
Auto Checks
Auto Checks explained
Auto Checks Detailed Explanation
Enforce MFA on the AWS Root AccountVerify CloudTrail is logging management events across all AWS regionsEnsure no IAM AWS-managed policies grant full administrative accessConfirm that Amazon GuardDuty is enabled for threat detectionEnsure the root account does not have any active access keysConfirm IAM Access Analyzer is enabled to monitor access permissionsConfigure a log metric filter and alarm for unauthorized API callsConfigure a log metric filter and alarm for root account usageEnsure customer-managed IAM policies do not grant full administrative accessPrevent IAM identities from having inline policies with unrestricted accessMaintain accurate and up-to-date AWS account contact informationRegister a valid security contact in the AWS account settingsBlock IAM Inline Policies That Enable Privilege EscalationPrevent IAM Inline Policies from Granting Full CloudTrail AccessAvoid Full KMS Access in Inline IAM PoliciesPrevent Overly Permissive Role Assumption in Custom IAM PoliciesPrevent Privilege Escalation via Customer-Managed IAM PoliciesAvoid IAM Policies Granting Full CloudTrail AccessAvoid IAM Policies Granting Unrestricted KMS AccessPrevent IAM Roles from Assigning ReadOnlyAccess Permissions to External AWS AccountsProtect IAM Service Roles from Confused Deputy Attacks Using Proper Trust PoliciesAvoid Provisioning Access Keys During Initial IAM User Creation When Console Login is EnabledDetect IAM Users with Multiple Active Access Keys and Enforce Key Rotation

Avoid IAM Policies Granting Full CloudTrail Access

Framework Reference: A.8.2 (Information Access Restrictions) Integration: AWS – IAM / CloudTrail

Why this matters

Granting full access to AWS CloudTrail through IAM policies (e.g., via cloudtrail:*) can compromise the integrity of your audit trail. Overly permissive access allows users to:

Disable or delete audit logs

Conceal unauthorized activity

Bypass critical forensic capabilities in the event of a breach

To preserve accountability, restrict access to CloudTrail operations, especially write actions, and limit permissions to specific use cases such as read-only log analysis.

What this check does

This Auto Check evaluates your IAM policies and flags any that:

Include the wildcard permission cloudtrail:*

Allow sensitive actions like DeleteTrail, StopLogging, or UpdateTrail

Lack sufficient constraints on affected resources

The check fails if policies with unrestricted CloudTrail access are attached to any identities (users, groups, or roles).

How to fix it

Identify and replace IAM policies that grant unrestricted access to CloudTrail.

From the AWS Console

Log in to the IAM Console.

Go to Policies and search for entries containing cloudtrail:*.

Review the policy for dangerous actions like DeleteTrail, StopLogging, or overly broad permissions.

Detach the policy from any attached identities.

If not required, delete the policy.

Create a new policy that:

Grants only the needed actions (e.g., cloudtrail:DescribeTrails, cloudtrail:LookupEvents)

Applies to specific trails or resources

Enforces read-only access where appropriate

Using AWS CLI

# Identify affected entities aws iam list-entities-for-policy --policy-arn <policy_arn> # Detach from a user aws iam detach-user-policy --user-name <user_name> --policy-arn <policy_arn> # Detach from a group aws iam detach-group-policy --group-name <group_name> --policy-arn <policy_arn> # Detach from a role aws iam detach-role-policy --role-name <role_name> --policy-arn <policy_arn>

Exceptions

If specific roles require temporary CloudTrail access (e.g., for diagnostics or audits):

Grant access through tightly scoped break-glass roles

Enforce conditions such as MFA authentication or limited session duration

Monitor usage through CloudTrail itself to detect suspicious actions

Further Resources

AWS IAM Best Practices

Managed vs. Inline Policies

AWS CLI IAM Reference

CloudTrail Permissions Guide

Was this article helpful?

Powered by Product Fruits