Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Rule: At Least One Multi-Region AWS CloudTrail

This rule ensures presence of a multi-region AWS CloudTrail in an account.

RuleAt least one multi-region AWS CloudTrail should be present in an account
FrameworkFedRAMP Low Revision 4
Severity
Medium

Rule Description

This rule requires that at least one multi-region AWS CloudTrail configuration is present in an AWS account to ensure compliance with FedRAMP Low Revision 4 security requirements.

AWS CloudTrail is a service that provides logging and monitoring capabilities for actions taken within AWS environments. It captures and records API calls made within the account, including resource changes, identity accesses, and management events. A multi-region configuration ensures redundancy and availability in the event of an outage or failure in a specific AWS region.

Troubleshooting Steps

If an AWS account does not have a multi-region AWS CloudTrail configuration, follow the steps below to troubleshoot:

  1. 1.

    Verify AWS CloudTrail existence: Check if AWS CloudTrail is already set up in the account. If not, create a new AWS CloudTrail configuration.

  2. 2.

    Check region configuration: Ensure that the CloudTrail configuration covers multiple AWS regions. If it is limited to a single region, modify the configuration to include multiple regions.

  3. 3.

    Confirm logging status: Ensure that AWS CloudTrail logging is enabled. If logging is disabled, enable it within the AWS Management Console or using AWS CLI commands.

  4. 4.

    Check trail status: Verify the status of the CloudTrail trail. It should be active. If not, troubleshoot any issues preventing activation.

  5. 5.

    Confirm multi-region configuration: Check whether the AWS CloudTrail configuration is set to capture events across multiple regions. If not, modify the configuration accordingly.

Necessary Codes

There are no specific codes required to remediate this rule. However, AWS CLI commands may be used to check and modify the AWS CloudTrail configuration.

Remediation Steps

To remediate the absence of a multi-region AWS CloudTrail configuration, follow the steps below:

  1. 1.

    Audit existing AWS CloudTrail configuration: Run the following AWS CLI command to list the existing AWS CloudTrail trails in the account:

    aws cloudtrail describe-trails
    

    This command will return information about the configured trails, including their names, regions, and status.

  2. 2.

    Create a new CloudTrail trail: If no trails exist or the existing trails are not multi-region, create a new trail by running the following AWS CLI command:

    aws cloudtrail create-trail --name <trail-name> --s3-bucket-name <bucket-name> --is-multi-region --region <region1> <region2> ...
    

    Replace

    <trail-name>
    with a suitable name for the trail and
    <bucket-name>
    with the name of the S3 bucket where the CloudTrail logs will be stored.
    <region1>
    ,
    <region2>
    , etc., should be replaced with the desired AWS regions to include in the multi-region configuration.

  3. 3.

    Enable logging: Activate the AWS CloudTrail logging using the following AWS CLI command:

    aws cloudtrail start-logging --name <trail-name>
    

    Replace

    <trail-name>
    with the name of the newly created trail or an existing trail that needs to be enabled for logging.

  4. 4.

    Verify multi-region configuration: Use the following AWS CLI command to confirm that the multi-region configuration is active:

    aws cloudtrail describe-trails --trail-name-list <trail-name>
    

    Replace

    <trail-name>
    with the name of the trail to verify.

  5. 5.

    Monitor and ensure compliance: Regularly monitor the AWS CloudTrail logs to ensure it captures events for all the required AWS regions and stays compliant with the FedRAMP Low security requirements.

By following these remediation steps, a multi-region AWS CloudTrail will be established and continuous monitoring of account activities can be maintained effectively.

Is your System Free of Underlying Vulnerabilities?
Find Out Now