At Least One Multi-Region AWS CloudTrail Rule
This rule ensures presence of a multi-region AWS CloudTrail in an account.
| Rule | At least one multi-region AWS CloudTrail should be present in an account |
| Framework | CISA-cyber-essentials |
| Severity | ✔ Medium |
Rule Description
This rule mandates the presence of at least one multi-region AWS CloudTrail in an account as part of the CISA Cyber Essentials program. AWS CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS account. Multi-region CloudTrail provides enhanced security by tracking events from multiple AWS regions, ensuring comprehensive monitoring and centralized management.
Troubleshooting Steps
1. Verify existing CloudTrail configuration
- Go to the AWS Management Console.
- Open the CloudTrail service.
- Confirm if there is an existing CloudTrail trail configured.
2. Evaluate the CloudTrail existing trail
- Check if the trail is enabled and capturing events.
- Ensure that the trail is logging events from all necessary AWS regions.
- Verify that the trail has appropriate S3 bucket and IAM role configurations.
- Review the trail's event selectors to ensure the desired events are being captured.
3. Create a new multi-region CloudTrail trail (if required)
- If there is no existing multi-region CloudTrail trail, create a new one:
- Click "Create trail" in the CloudTrail service dashboard.
- Enter a distinct name for the trail.
- Choose the S3 bucket where the CloudTrail logs will be stored.
- Enable log file validation to ensure data integrity.
- Enable multiple regions to capture events from all regions.
- Configure the appropriate IAM role for CloudTrail to access necessary resources.
- Select the desired events to be logged in the event selectors.
- Review the settings and click "Create trail" to finalize the configuration.
4. Enable CloudTrail logging for all regions
- If the existing CloudTrail trail does not cover all the necessary regions, make sure to enable those regions:
- From the CloudTrail service dashboard, select the trail to modify.
- Click "Edit" for the event selector.
- Enable the missing AWS regions.
- Save the changes to update the trail's settings.
Necessary Code
There are no specific code snippets for this rule. The configuration steps mentioned above can be performed through the AWS Management Console.
Remediation Steps
To remediate the missing multi-region AWS CloudTrail issue, follow these steps:
- 1.
Verify Existing CloudTrail Configuration:
- Check if there is an existing CloudTrail trail.
- Ensure that the trail is enabled, capturing events, and covers all necessary regions.
- 2.
Create a new multi-region CloudTrail trail (if required):
- Access the AWS Management Console.
- Open the CloudTrail service.
- Click "Create trail."
- Provide a distinct name for the trail.
- Choose the S3 bucket where CloudTrail logs will be stored.
- Enable log file validation.
- Enable multiple regions to capture events from all regions.
- Configure the appropriate IAM role for CloudTrail.
- Select the desired events to be logged.
- Review the settings and click "Create trail."
- 3.
Enable CloudTrail logging for all regions:
- Access the CloudTrail service dashboard.
- Select the relevant trail to modify.
- Click "Edit" for the event selector.
- Enable any missing AWS regions.
- Save the changes to update the trail's settings.
By following these steps, you will ensure the presence of a multi-region AWS CloudTrail in your account, providing comprehensive monitoring and meeting the requirements of the CISA Cyber Essentials program.