Ensure CloudTrail trails are integrated with CloudWatch Logs
This rule ensures integration of CloudTrail trails with CloudWatch Logs for enhanced monitoring.
| Rule | Ensure CloudTrail trails are integrated with CloudWatch Logs |
| Framework | cis_v140 |
| Severity | ✔ Low |
Rule Description:
The rule ensures that all CloudTrail trails are integrated with CloudWatch Logs in order to centralize and monitor the logs generated by CloudTrail. This integration provides a consolidated and secure way to track and analyze the activities occurring in an AWS account.
Troubleshooting Steps:
- 1.
Verify CloudTrail trail configuration: Ensure that the CloudTrail trails are properly configured to send logs to CloudWatch Logs. Check if the "Enable CloudWatch Logs" option is enabled for each trail.
- 2.
Check IAM roles and permissions: Ensure that the IAM roles associated with the CloudTrail trails have the necessary permissions to write logs to CloudWatch Logs. Validate if the role policies include the "logs:CreateLogStream" and "logs:PutLogEvents" permissions.
- 3.
Verify CloudWatch Logs subscription filters: Check the CloudWatch Logs subscription filters for each CloudTrail trail. Make sure that the filters are correctly set up to capture and redirect the desired logs. Ensure that the correct log group and log stream are specified in the filter configuration.
- 4.
Review CloudWatch Logs retention settings: Review the retention settings for the CloudWatch Logs log groups receiving the CloudTrail logs. Verify that the retention period is set appropriately to retain the logs for the required duration.
Necessary Codes:
No specific codes are required for this remediation process. However, you may need to use AWS Command Line Interface (CLI) commands to validate and configure the integration between CloudTrail and CloudWatch Logs.
Step-by-step Guide for Remediation:
- 1.
Open the AWS Management Console and navigate to the CloudTrail service.
- 2.
Select the CloudTrail trail that needs to be integrated with CloudWatch Logs.
- 3.
Click on the "Edit" button to modify the trail settings.
- 4.
In the "Storage Location" section, ensure that the "Enable CloudWatch Logs" option is checked.
- 5.
Specify the desired log group and log stream names. It's recommended to use a naming convention that suits your organizational needs.
- 6.
Review the existing IAM role associated with the trail. Ensure that the role has the necessary permissions to write logs to CloudWatch Logs.
- 7.
If needed, you can create a new IAM role with the required permissions using the IAM service.
- 8.
After modifying the trail settings, click on the "Save" button to apply the changes.
- 9.
Verify that the CloudTrail logs are now integrated with CloudWatch Logs by navigating to the CloudWatch Logs service.
- 10.
Select the log group and log stream specified during the setup process.
- 11.
Check if the appropriate logs from CloudTrail are visible in the log stream.
- 12.
To validate the integration for multiple trails, repeat these steps for each CloudTrail trail that needs to be integrated with CloudWatch Logs.
Note: It may take a few minutes for the newly created or modified CloudTrail trails to start sending logs to CloudWatch Logs. Be patient while verifying the integration.
By following these steps, all CloudTrail trails will be successfully integrated with CloudWatch Logs, ensuring centralized log collection and enhanced monitoring capabilities.