Rule: At Least One Multi-Region AWS CloudTrail
This rule ensures the presence of a multi-region AWS CloudTrail in the account.
| Rule | At least one multi-region AWS CloudTrail should be present in an account |
| Framework | CISA-cyber-essentials |
| Severity | ✔ Medium |
Rule Description
This rule ensures that there is at least one multi-region AWS CloudTrail present in an account, as a requirement for CISA Cyber Essentials compliance. AWS CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS account. By having a multi-region CloudTrail, you ensure that your account's API activity is logged across different AWS regions, providing better visibility and accountability.
Troubleshooting Steps
If there is no multi-region CloudTrail present in the account, you can follow the troubleshooting steps below to address the issue:
- 1.Check existing CloudTrails: Verify if there are any CloudTrails configured in your AWS account. You can do this by navigating to the AWS Management Console and searching for "CloudTrail".
- 2.Review single-region CloudTrails: If you have existing CloudTrails, check if they are configured for multiple regions. If not, you will need to create a new multi-region CloudTrail.
- 3.Verify account permissions: Ensure that you have sufficient permissions to create and manage CloudTrails within your AWS account. Typically, administrative privileges are required to perform these actions.
Necessary Code
To create a multi-region CloudTrail, you can use the AWS Command Line Interface (CLI) or the AWS Management Console. Below is an example of the necessary CLI commands:
- 1.Create a S3 bucket: Before creating the CloudTrail, you first need to create an S3 bucket to store the CloudTrail log files.
aws s3api create-bucket --bucket your-unique-bucket-name --region your-preferred-region
Replace "your-unique-bucket-name" with a unique name for your bucket, and "your-preferred-region" with the region where you want to create the bucket.
- 1.Create the multi-region CloudTrail: Once the S3 bucket is created, you can create the multi-region CloudTrail using the following command:
aws cloudtrail create-trail --name your-trail-name --s3-bucket-name your-unique-bucket-name --is-multi-region
Replace "your-trail-name" with a descriptive name for your CloudTrail.
Remediation Steps
Follow the step-by-step guide below to remediate the issue by creating a multi-region CloudTrail:
- 1.
Create an S3 bucket: Using the AWS Management Console or the provided CLI command, create an S3 bucket to store the CloudTrail logs. Ensure that the bucket name is unique and choose the desired region for the bucket.
- 2.
Create the multi-region CloudTrail: Using the AWS Management Console or the provided CLI command, create a new CloudTrail. Specify a descriptive name for the trail and select the S3 bucket you created in the previous step. Enable the option for multi-region logging to ensure API activity is recorded across all regions.
- 3.
Configure CloudTrail settings: In the CloudTrail configuration, you can customize settings such as log file encryption, log retention, and CloudWatch Logs integration if desired. Adjust these settings based on your specific requirements.
- 4.
Enable the CloudTrail: Once the CloudTrail is created and configured, enable it to start recording API activity in your AWS account. You can enable the trail through the AWS Management Console or using the CLI command:
aws cloudtrail start-logging --name your-trail-name
Replace "your-trail-name" with the name of the CloudTrail you created.
- 1.Verify multi-region logging: After enabling the CloudTrail, verify that it is logging API activity across multiple regions. You can check the CloudTrail logs in the S3 bucket you created or use the CloudTrail event history in the AWS Management Console.
By following these steps, you can ensure compliance with the CISA Cyber Essentials requirement of having at least one multi-region AWS CloudTrail in your AWS account.