Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Ensure CloudTrail trails are integrated with CloudWatch Logs Rule

Guideline to integrate CloudTrail trails with CloudWatch Logs.

RuleEnsure CloudTrail trails are integrated with CloudWatch Logs
Frameworkcis_v130
Severity
Low

Ensuring CloudTrail Trails are Integrated with CloudWatch Logs for CIS_v1.3.0

The Center for Internet Security (CIS) outlines benchmarks to help organizations secure their AWS accounts. Among the recommended controls is the requirement that AWS CloudTrail trails be integrated with CloudWatch Logs. This is part of the CIS Amazon Web Services Foundations Benchmark v1.3.0. The aim is to enable continuous monitoring, logging, and real-time analysis of the AWS account activity.

Rule Details

The rule mandates that all AWS CloudTrail trails are configured to send logs to an Amazon CloudWatch Logs log group. This is critical for maintaining an auditable log of all actions across an AWS environment, allowing for immediate analysis and alerting on potentially malicious activities.

Benefits:

  • Real-time monitoring and alerting capabilities.
  • Retention and access control over logs.
  • Helps in tracking changes and troubleshooting issues quickly.
  • Ensures compliance with many security standards.

Troubleshooting Steps

Check CloudTrail Integration with CloudWatch Logs:

  1. 1.
    Log in to the AWS Management Console.
  2. 2.
    Navigate to the CloudTrail console.
  3. 3.
    Ensure that your AWS CloudTrail trail is created and configured:
    • If not, create a new trail and select a corresponding S3 bucket.
  4. 4.
    Select a trail to check the CloudWatch Logs configuration.
  5. 5.
    Under the "CloudWatch Logs" section, identify whether the trail is linked to a log group.

If not Integrated:

  • No log group or IAM role assigned: Set up the CloudWatch Logs log group and role.
  • Incorrect IAM role permissions: Adjust the IAM role policies to allow CloudTrail to write logs to your log group.

Remediation Steps

Creating Log Group and Integrating with CloudTrail:

  1. 1.

    Create a Log Group in CloudWatch Logs:

    aws logs create-log-group --log-group-name YOUR_LOG_GROUP_NAME
    
  2. 2.

    Assign the appropriate IAM role to CloudTrail and create a policy that allows it to put events into CloudWatch Logs. Create an IAM role with the following trust policy:

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Principal": { "Service": "cloudtrail.amazonaws.com" },
          "Action": "sts:AssumeRole"
        }
      ]
    }
    
  3. 3.

    Attach the following policy to the IAM role to allow CloudTrail to access CloudWatch Logs:

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Action": [
            "logs:CreateLogStream",
            "logs:PutLogEvents"
          ],
          "Resource": [
            "arn:aws:logs:REGION:ACCOUNT_ID:log-group:LOG_GROUP_NAME:*"
          ]
        }
      ]
    }
    

    Replace

    REGION
    ,
    ACCOUNT_ID
    , and
    LOG_GROUP_NAME
    with the appropriate values.

  4. 4.

    Update the trail to use the new log group and IAM role:

    aws cloudtrail update-trail \
      --name YOUR_TRAIL_NAME \
      --cloud-watch-logs-log-group-arn arn:aws:logs:REGION:ACCOUNT_ID:log-group:LOG_GROUP_NAME \
      --cloud-watch-logs-role-arn YOUR_IAM_ROLE_ARN
    

    Replace

    YOUR_TRAIL_NAME
    ,
    REGION
    ,
    ACCOUNT_ID
    ,
    LOG_GROUP_NAME
    , and
    YOUR_IAM_ROLE_ARN
    with the correct values.

By ensuring that CloudTrail is properly integrated with CloudWatch Logs, you'll be improving the security and compliance posture of your AWS environment, which can positively impact your SEO by demonstrating your commitment to data security - a key consideration for both users and search engines.

Is your System Free of Underlying Vulnerabilities?
Find Out Now