Rule: At Least One Enabled Trail Required in a Region
This rule ensures the presence of at least one enabled trail in a specific region.
| Rule | At least one enabled trail should be present in a region |
| Framework | CISA-cyber-essentials |
| Severity | ✔ Low |
Rule Description:
According to the rule/policy for CISA Cyber Essentials, it is mandatory to have at least one enabled trail present in a specific region. Trails are used for capturing and storing important log data, which can be used for security monitoring, troubleshooting, and compliance purposes.
Troubleshooting Steps:
If you encounter an issue with the rule and need to troubleshoot, please follow these steps:
- 1.
Ensure that you have the necessary permissions: Verify that you have the required permissions to create and manage trails in your AWS account. If you don't have the necessary permissions, contact your AWS account administrator.
- 2.
Check the status of existing trails: Use the AWS Management Console, AWS CLI command, or AWS SDK to check the status of existing trails in the region specified by the rule. Ensure that at least one trail is enabled.
- 3.
Verify the configuration of existing trails: Review the configuration settings of existing trails to confirm that they meet the requirements outlined in the CISA Cyber Essentials policy. Pay attention to the log file settings, data events captured, and the destination where the logs are stored.
- 4.
Create a new trail if necessary: If there are no enabled trails in the specified region, create a new trail using the AWS Management Console, AWS CLI, or AWS SDK.
- 5.
Configure the trail settings: Set the appropriate settings for the trail, such as the log file format (JSON or AWS CloudTrail), log file encryption, log file validation, and the destination S3 bucket where the logs will be stored.
- 6.
Enable the trail: Once the trail is configured, enable it to start capturing the necessary log data. This can be done through the AWS Management Console or by using the AWS CLI command.
Necessary Codes:
There are no specific codes required for this rule, as it mainly involves creating and managing trails in the AWS environment. However, here are some example AWS CLI commands that can be used for creating and enabling trails:
- 1.Create Trail:
aws cloudtrail create-trail --name <trail-name> --s3-bucket-name <bucket-name> --region <specified-region> --enable-log-file-validation --include-global-service-events
- 1.Enable Trail:
aws cloudtrail start-logging --name <trail-name>
Remember to replace
<trail-name><bucket-name><specified-region>Step-by-Step Guide for Remediation:
Follow these steps to ensure compliance with the CISA Cyber Essentials rule regarding enabled trails in a specific region:
- 1.
Verify Permissions: Make sure you have the necessary permissions to manage trails in your AWS account.
- 2.
Check Existing Trails: Using the AWS Management Console, AWS CLI, or AWS SDK, verify that there is at least one enabled trail in the specified region.
- 3.
Review Trail Configuration: Check the configuration settings of existing trails to ensure they meet the requirements outlined in the CISA Cyber Essentials policy.
- 4.
Create a New Trail: If no enabled trails exist in the specified region, create a new trail using the preferred method (AWS Management Console, AWS CLI, or AWS SDK).
- 5.
Configure Trail Settings: Set the necessary trail settings, such as log file format, encryption, validation, and destination bucket.
- 6.
Enable the Trail: Once the trail is created and configured, enable it to start capturing log data.
- 7.
Validate Compliance: Regularly monitor and validate the trails' status to ensure there is always at least one enabled trail in the specified region.
By following these steps, you will ensure compliance with the CISA Cyber Essentials policy regarding enabled trails in a specific region.