This rule ensures the presence of at least one enabled trail in a region.
Rule | At least one enabled trail should be present in a region |
Framework | CISA-cyber-essentials |
Severity | ✔ Low |
Rule Description:
The rule mandates that at least one enabled trail should be present in a specific region for CISA-cyber-essentials. This requirement ensures that the logging and monitoring capabilities are maintained to achieve compliance with the CISA cyber essentials framework.
Troubleshooting Steps:
If this rule is not compliant, follow the steps below to troubleshoot and rectify the issue:
Verify Enabled Trails: Confirm if there are any enabled trails available in the specified region. Trails are used to capture and log AWS API and management console activity.
Check Trail Status: Ensure that the existing trails in the specified region are in the "Enabled" state. A disabled trail will not fulfill the requirement.
Confirm Trail Presence: If there are no enabled trails in the specified region, you need to create a new trail.
Necessary Codes:
There are no specific codes provided for this rule; however, the AWS Command Line Interface (CLI) can be utilized to create and manage trails.
Step-by-Step Guide for Remediation:
Follow the instructions below to ensure compliance with the rule:
Check Enabled Trails:
Verify Trail Status:
Create a New Trail (if necessary): If there are no enabled trails in the specified region, follow these steps to create a new trail:
Install and configure the AWS CLI by following the official documentation if not already done.
Open the terminal or command prompt.
Run the following command to create a new trail:
aws cloudtrail create-trail --name <trail-name> --s3-bucket-name <bucket-name> --is-multi-region-trail --region <specified-region>
Replace
<trail-name>
with a name for your trail and <bucket-name>
with the name of an existing S3 bucket where logs will be stored. Also, replace <specified-region>
with the desired region.Enable the created trail by running the following command:
aws cloudtrail start-logging --name <trail-name> --region <specified-region>
Replace
<trail-name>
with the name of the newly created trail and <specified-region>
with the desired region.Verification:
By following these steps, you will meet the compliance requirement of having at least one enabled trail in the specified region for CISA-cyber-essentials.