Ensure CloudTrail Trails Are Integrated with CloudWatch Logs Rule
This rule ensures that CloudTrail trails are connected with CloudWatch Logs for better monitoring and analysis.
| Rule | Ensure CloudTrail trails are integrated with CloudWatch Logs |
| Framework | cis_v150 |
| Severity | ✔ Low |
Rule Description:
CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS account. It provides detailed information about actions taken within your account, such as API calls made by or on behalf of your account, event source configurations, and more. CloudWatch Logs is a service that allows you to collect, monitor, and store logs generated by various AWS resources and applications. Integrating CloudTrail trails with CloudWatch Logs provides enhanced monitoring and centralized log management for your AWS account.
The CIS benchmark version 1.5.0 recommends integrating CloudTrail trails with CloudWatch Logs to ensure that audit logs are securely stored, retained, and easily accessible for analysis and forensics.
Troubleshooting Steps:
If CloudTrail trails are not integrated with CloudWatch Logs, follow these troubleshooting steps:
- 1.
Verify CloudTrail Trail Configuration:
- Open the AWS Management Console and navigate to the CloudTrail service.
- Select the trail that you want to check for integration.
- Ensure that the "Manage CloudWatch Logs" option is enabled for the trail.
- If it's not enabled, you need to modify the trail and enable the integration.
- 2.
Enable CloudTrail Logs for CloudWatch:
- Open the AWS Management Console and navigate to the CloudTrail service.
- Select the trail that you want to integrate with CloudWatch Logs.
- Click on the "Edit" button to modify the trail configuration.
- In the "CloudWatch Logs" section, select the checkbox "Create a new CloudWatch log group" or "Choose an existing CloudWatch log group" depending on your requirements.
- If creating a new log group, provide a meaningful name for the log group.
- Click on the "Save" button to save the changes and enable CloudWatch Logs integration.
Necessary Code:
No code is necessary for this rule. The integration of CloudTrail trails with CloudWatch Logs can be achieved through the AWS Management Console or AWS CLI.
Remediation Steps:
To remediate the integration of CloudTrail trails with CloudWatch Logs, follow these steps:
- 1.
Enable CloudTrail Logs for CloudWatch using the AWS Management Console:
- Open the AWS Management Console and navigate to the CloudTrail service.
- Select the trail that you want to integrate with CloudWatch Logs.
- Click on the "Edit" button to modify the trail configuration.
- In the "CloudWatch Logs" section, select the checkbox "Create a new CloudWatch log group" or "Choose an existing CloudWatch log group" depending on your requirements.
- If creating a new log group, provide a meaningful name for the log group.
- Click on the "Save" button to save the changes and enable CloudWatch Logs integration.
- 2.
Enable CloudTrail Logs for CloudWatch using AWS CLI:
Open the AWS CLI or any terminal with AWS CLI installed.
Use the following command to enable CloudTrail logs for CloudWatch:
aws cloudtrail update-trail --name <trail-name> --cloud-watch-logs-log-group-arn <log-group-ARN> --cloud-watch-logs-role-arn <role-ARN>Replace
with the name of the CloudTrail trail you want to integrate. Replace<trail-name>
with the ARN of the CloudWatch log group you want to use or create. Replace<log-group-ARN>
with the ARN of the IAM role that allows CloudTrail to send logs to CloudWatch.<role-ARN>Run the command to enable CloudTrail and CloudWatch Logs integration.
By following these steps, you will ensure that CloudTrail trails are integrated with CloudWatch Logs, as recommended by the CIS benchmark version 1.5.0. This integration will help you maintain secure and centralized log management for your AWS account, ensuring compliance and effective monitoring.