Guideline to integrate CloudTrail trails with CloudWatch Logs.
Rule | Ensure CloudTrail trails are integrated with CloudWatch Logs |
Framework | cis_v130 |
Severity | ✔ Low |
Ensuring CloudTrail Trails are Integrated with CloudWatch Logs for CIS_v1.3.0
The Center for Internet Security (CIS) outlines benchmarks to help organizations secure their AWS accounts. Among the recommended controls is the requirement that AWS CloudTrail trails be integrated with CloudWatch Logs. This is part of the CIS Amazon Web Services Foundations Benchmark v1.3.0. The aim is to enable continuous monitoring, logging, and real-time analysis of the AWS account activity.
Rule Details
The rule mandates that all AWS CloudTrail trails are configured to send logs to an Amazon CloudWatch Logs log group. This is critical for maintaining an auditable log of all actions across an AWS environment, allowing for immediate analysis and alerting on potentially malicious activities.
Benefits:
Troubleshooting Steps
Check CloudTrail Integration with CloudWatch Logs:
If not Integrated:
Remediation Steps
Creating Log Group and Integrating with CloudTrail:
Create a Log Group in CloudWatch Logs:
aws logs create-log-group --log-group-name YOUR_LOG_GROUP_NAME
Assign the appropriate IAM role to CloudTrail and create a policy that allows it to put events into CloudWatch Logs. Create an IAM role with the following trust policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": { "Service": "cloudtrail.amazonaws.com" },
"Action": "sts:AssumeRole"
}
]
}
Attach the following policy to the IAM role to allow CloudTrail to access CloudWatch Logs:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": [
"arn:aws:logs:REGION:ACCOUNT_ID:log-group:LOG_GROUP_NAME:*"
]
}
]
}
Replace
REGION
, ACCOUNT_ID
, and LOG_GROUP_NAME
with the appropriate values.Update the trail to use the new log group and IAM role:
aws cloudtrail update-trail \ --name YOUR_TRAIL_NAME \ --cloud-watch-logs-log-group-arn arn:aws:logs:REGION:ACCOUNT_ID:log-group:LOG_GROUP_NAME \ --cloud-watch-logs-role-arn YOUR_IAM_ROLE_ARN
Replace
YOUR_TRAIL_NAME
, REGION
, ACCOUNT_ID
, LOG_GROUP_NAME
, and YOUR_IAM_ROLE_ARN
with the correct values.By ensuring that CloudTrail is properly integrated with CloudWatch Logs, you'll be improving the security and compliance posture of your AWS environment, which can positively impact your SEO by demonstrating your commitment to data security - a key consideration for both users and search engines.