Ensure Presence of Multi-Region AWS CloudTrail Rule
This rule ensures the presence of at least one multi-region AWS CloudTrail in the account.
| Rule | At least one multi-region AWS CloudTrail should be present in an account |
| Framework | FedRAMP Low Revision 4 |
| Severity | ✔ Medium |
Description
This rule ensures that there is at least one multi-region AWS CloudTrail configured in an account for FedRAMP Low Revision 4 compliance. AWS CloudTrail is a service that provides governance, compliance, operational monitoring, and risk auditing of your AWS account. It records all API activities and events within your account, allowing you to effectively track changes and troubleshoot security incidents.
Rationale
Having a multi-region AWS CloudTrail enhances the security and compliance posture of the FedRAMP Low Revision 4 environment. By enabling multi-region CloudTrail, it ensures that all API events and activities across all regions are captured and stored centrally. This is beneficial for monitoring and investigating security incidents, as well as meeting compliance requirements.
Troubleshooting Steps
There may be scenarios where a multi-region CloudTrail is not present in the account. In such cases, follow these steps to troubleshoot the issue:
- 1.
Check if CloudTrail is enabled: Verify if AWS CloudTrail is already enabled in the account. You can do this by navigating to the AWS Management Console, selecting the CloudTrail service, and checking if there are any existing trails configured.
- 2.
Create a multi-region trail: If no trail exists or if an existing trail is not multi-region, create a new multi-region trail. Follow the steps below:
- Open the AWS Management Console and go to the CloudTrail service.
- Click on "Trails" in the left navigation menu.
- Click on the "Create Trail" button.
- Provide a unique name and description for the trail.
- Select "Apply trail to all regions" to enable multi-region logging.
- Configure the required settings, such as the S3 bucket, log file prefix, and optional log file encryption.
- Enable CloudTrail insights, if necessary, to provide advanced threat detection.
- Click on "Create" to create the multi-region trail.
- 3.
Validate the multi-region trail: After creating the multi-region trail, validate that it is actively logging events across all regions. You can verify this by checking the CloudTrail events in the console or by querying the S3 bucket where the log files are stored.
AWS CLI Commands
If you prefer using the AWS CLI, you can follow these steps:
- 1.To create a multi-region trail:
aws cloudtrail create-trail --name <trail-name> --s3-bucket-name <bucket-name> --is-multi-region-trail
Note: Replace
with a unique name for your trail and <trail-name>
with the name of the S3 bucket where the logs should be stored.<bucket-name>
- 1.To enable CloudTrail insights (optional):
aws cloudtrail put-event-selectors --trail-name <trail-name> --event-selectors '[{"ReadWriteType": "All", "IncludeManagementEvents": true, "DataResources": [], "ExcludeManagementEventSources": []}]'
Note: Replace
with the name of your trail.<trail-name>
- 1.To verify the trails and their settings:
aws cloudtrail describe-trails
- 1.To validate the multi-region trail:
- Check the CloudTrail events in the AWS Management Console.
- Query the S3 bucket where the log files are stored.
Remediation Steps
To remediate this rule, follow the troubleshooting steps mentioned above and ensure that a multi-region AWS CloudTrail is successfully created and properly configured in the AWS account.
Compliance Acceleration
Creating and maintaining a multi-region AWS CloudTrail not only ensures compliance with FedRAMP Low Revision 4 but also accelerates SEO. By having a centralized logging of all API events and activities across regions, it becomes easier to monitor and investigate security incidents, thereby improving the security posture of the environment. Additionally, the availability of comprehensive audit logs helps in meeting regulatory requirements and building trust with customers, ultimately benefiting SEO efforts.