Rule: CloudTrail Trails Should Be Integrated with CloudWatch Logs
This rule ensures that CloudTrail trails are integrated with CloudWatch logs for better monitoring and security.
| Rule | CloudTrail trails should be integrated with CloudWatch logs |
| Framework | FedRAMP Low Revision 4 |
| Severity | ✔ Critical |
Rule Description:
The CloudTrail trails within an AWS account should be integrated with CloudWatch logs to ensure compliance with the Federal Risk and Authorization Management Program (FedRAMP) Low Revision 4 requirements. This integration enables the tracking and monitoring of API activities and events happening within the account.
Troubleshooting Steps:
- 1.Check if CloudTrail is enabled for the AWS account.
- 2.Verify if there are any existing CloudWatch log groups available.
- 3.Ensure the necessary IAM permissions are granted to integrate CloudTrail with CloudWatch logs.
Necessary Codes:
No specific codes are required for this rule. However, you might need to use AWS Command Line Interface (CLI) commands to perform the CloudTrail and CloudWatch logs integration.
Step-by-Step Guide for Remediation:
- 1.
Log in to the AWS Management Console using appropriate credentials.
- 2.
Search for and open the "CloudTrail" service.
- 3.
Check if CloudTrail is already enabled for your account. If it is not enabled, follow these steps to enable it:
- Click on "Create trail."
- Provide a trail name and select the desired trail settings.
- Choose whether to apply the trail to all regions or specific regions.
- Configure the trail options as required.
- Choose "Create a new S3 bucket" or select an existing bucket to store the CloudTrail logs.
- Enable "Log file encryption" if necessary.
- Select the desired CloudWatch Logs settings.
- Choose "Create."
- 4.
Now, check if there are any existing CloudWatch log groups available. If not, follow these steps to create a log group:
- Open the "CloudWatch" service.
- Click on "Logs" in the left navigation menu.
- Click on "Create log group."
- Provide a log group name and choose an existing retention period or customize it.
- Click on "Create."
- 5.
Grant the necessary IAM permissions to integrate CloudTrail with CloudWatch logs:
- Search for and open the "IAM" service.
- Click on "Roles" in the left navigation menu.
- Search for the role associated with CloudTrail (e.g., "AWSServiceRoleForCloudTrail").
- Click on the role name.
- Attach the required policies (e.g., "CloudWatchLogsFullAccess").
- Click on "Attach policy."
- 6.
Now, associate the CloudTrail trail with the CloudWatch log group:
- Go back to the "CloudTrail" service.
- Select the desired trail.
- Click on "Edit."
- Under the "CloudWatch Logs settings" section, select the appropriate log group created earlier.
- Click on "Save."
- 7.
Verify if the CloudTrail and CloudWatch logs integration is successful by checking if logs are being generated in the CloudWatch log group associated with the trail.
Conclusion:
By following the above step-by-step guide, you should be able to integrate CloudTrail trails with CloudWatch logs to meet the FedRAMP Low Revision 4 requirements. This integration allows for improved monitoring and tracking of API activities and events within your AWS account.