Ensure CloudTrail Rule is Enabled in All Regions
This rule ensures that CloudTrail is enabled in all regions for enhanced logging.
| Rule | Ensure CloudTrail is enabled in all regions |
| Framework | cis_v130 |
| Severity | ✔ Critical |
Ensure CloudTrail is enabled in all regions for CIS v1.3.0 Compliance
AWS CloudTrail is a service that provides governance, compliance, operational auditing, and risk auditing of your AWS account. Enabling CloudTrail in all regions is a key requirement of the Center for Internet Security (CIS) AWS Foundations Benchmark v1.3.0.
Compliance Rule Details
According to the CIS AWS Foundations Benchmark v1.3.0, you should ensure that AWS CloudTrail is enabled in all regions, regardless of where your AWS resources are deployed. This is important to guarantee that all account activity, including actions taken through the AWS Management Console, AWS SDKs, command line tools, and other AWS services, is logged.
Key Points for Compliance:
- CloudTrail should be configured to capture all management events in all regions.
- CloudTrail logs should be delivered to an S3 bucket.
- Ensure CloudTrail logs are encrypted at rest using AWS KMS-managed keys.
- Implement log file integrity validation to detect unauthorized log manipulation.
- Enable CloudTrail log file delivery notification to an Amazon SNS topic.
Troubleshooting Steps
If CloudTrail is not enabled in all regions or if you encounter issues with CloudTrail configuration, take the following steps:
- 1.Verify if CloudTrail is enabled in all regions.
- 2.Check if CloudTrail logs are being delivered to the specified S3 bucket.
- 3.Ensure that log file integrity validation is enabled.
- 4.Verify encryption of logs using AWS KMS-managed keys.
Remediation Guide
Enabling CloudTrail in All Regions
To enable CloudTrail logging across all regions via the AWS Management Console, follow these steps:
- 1.Navigate to the CloudTrail console.
- 2.Click on "Trails" in the left-hand navigation pane.
- 3.Click on "Create trail" to create a new trail.
- 4.Enter the trail name and select "Apply trail to all regions".
- 5.Set up an S3 bucket for log storage, or select an existing one.
- 6.Enable log file encryption using KMS and log file validation.
- 7.Save the trail configuration.
Using AWS CLI
Alternatively, you can use the AWS Command Line Interface (CLI) to create a trail that applies to all regions with the following command:
aws cloudtrail create-trail --name TrailName --s3-bucket-name YourS3BucketName --is-multi-region-trail --enable-log-file-validation --kms-key-id alias/YourKmsKey --include-global-service-events
Replace
TrailNameYourS3BucketNameYourKmsKeyEnsuring CloudTrail Log File Integrity and Encryption
To enable log file integrity validation:
aws cloudtrail update-trail --name TrailName --enable-log-file-validation
To configure encryption with KMS-managed keys:
aws cloudtrail update-trail --name TrailName --kms-key-id alias/YourKmsKey
Finalizing Configuration
Ensure that the CloudTrail is configured correctly and is operational. Review the CloudTrail event logs to confirm that the trails are capturing events.
SEO-Friendly and Efficient Content Strategy
In generating a detailed, concise, and SEO-friendly description of the rule, the following strategies are employed:
- Use of relevant and specific keywords, such as "CIS AWS Foundations Benchmark", "CloudTrail", "AWS compliance", "enable CloudTrail all regions".
- Section headings structured for clarity and easier navigation.
- Step-by-step instructions providing direct value to users seeking to achieve compliance.
- Inclusion of troubleshooting steps and necessary CLI commands for advanced users.
- Content focused on actionable insights without unnecessary filler.
Implementing these steps should aid in ranking higher in search engine results due to the content's relevance, usefulness, and straightforwardness, enhancing SEO effectiveness over time.