Ensure CloudTrail Trails Integrated with CloudWatch Logs Rule
This rule emphasizes the integration of CloudTrail trails with CloudWatch logs for enhanced monitoring and compliance.
| Rule | CloudTrail trails should be integrated with CloudWatch logs |
| Framework | FedRAMP Moderate Revision 4 |
| Severity | ✔ Critical |
Rule Description:
To comply with the FedRAMP Moderate Revision 4 standard, CloudTrail trails should be integrated with CloudWatch logs. This ensures that CloudTrail logs are aggregated, stored, and monitored centrally in CloudWatch, providing comprehensive visibility into AWS API activity within your AWS account.
Integrating CloudTrail with CloudWatch logs helps in meeting the requirement for continuous monitoring and centralizing log management, which are crucial for security and compliance purposes.
Troubleshooting Steps:
If you encounter any issues while integrating CloudTrail with CloudWatch logs, follow the troubleshooting steps below:
- 1.
Verify IAM Permissions:
- Ensure that the IAM user or role used to configure CloudTrail has the necessary permissions to write logs to CloudWatch. The user or role should have the
andcloudtrail:CreateTrail
permissions at a minimum.logs:CreateLogGroup
- 2.
Check CloudTrail Configuration:
- Ensure that the CloudTrail trail you want to integrate with CloudWatch logs is properly configured and active. Double-check the trail settings, including the S3 bucket for log storage and the event types being recorded.
- 3.
Verify CloudWatch Log Group:
- Check if the CloudWatch log group you want to use for CloudTrail logs already exists. If the log group does not exist, you can create one using the AWS Command Line Interface (CLI) or AWS Management Console.
- 4.
Check Trust Relationships:
- Confirm that the IAM role used by CloudTrail has a trust relationship allowing it to write logs to CloudWatch. The trust relationship should include the
service.logs.amazonaws.com
- 5.
Review CloudTrail and CloudWatch Logs Configuration:
- Ensure the CloudTrail log group and log stream attributes match the configuration in CloudTrail. Verify that the log group ARN is correctly specified in the CloudTrail configuration and that the log stream name includes the appropriate CloudTrail identifier.
- 6.
Check S3 Bucket Permissions:
- If CloudTrail logs are stored in an S3 bucket, verify that the bucket permissions allow CloudTrail to deliver logs to CloudWatch. The IAM user or role should have the necessary permissions to access the S3 bucket and deliver logs.
- 7.
Examine CloudTrail and CloudWatch Logs Integrations:
- If you have already integrated CloudTrail with CloudWatch logs, check if there are any existing trail integrations. Only a single log group can be associated with each CloudTrail trail.
- 8.
Review CloudWatch Logs Retention Policy:
- Ensure that the retention policy in CloudWatch logs is set to a value that satisfies your compliance requirements. The logs should be retained for an appropriate duration, based on your organization's policies and regulations.
Necessary Codes:
No specific code is required for this rule. Integrating CloudTrail with CloudWatch logs can be accomplished using the AWS Management Console or AWS CLI.
Step-by-Step Guide for Remediation:
Follow the steps below to integrate CloudTrail trails with CloudWatch logs:
- 1.
Open the AWS Management Console and navigate to the CloudTrail service.
- 2.
In the left navigation pane, click on "Trails."
- 3.
Select the existing trail you want to integrate with CloudWatch logs or click "Create trail" to configure a new trail.
- 4.
On the Trail Details page, ensure that the trail is configured with the appropriate settings, including the S3 bucket for log storage and the desired event types to be recorded.
- 5.
Under "CloudWatch Logs," select "Yes" to enable CloudWatch Logs integration.
- 6.
If you have an existing log group, choose it from the drop-down list. Otherwise, click "Create a new log group" and provide a name for the log group.
- 7.
Optionally, you can customize the log stream name using keywords or variables to organize the logs effectively.
- 8.
Configure the log delivery settings as desired, including CloudWatch encryption, log file validation, and log record format.
- 9.
Review the trail configuration and click "Create" or "Update trail" to save the changes.
- 10.
Once the integration is complete, CloudTrail logs will start flowing into the specified CloudWatch log group, where you can search, analyze, and configure alarms based on the log data.
Remember to regularly monitor the CloudWatch logs to ensure proper logging and investigate any potential security incidents or compliance issues.
Conclusion:
Integrating CloudTrail trails with CloudWatch logs according to the FedRAMP Moderate Revision 4 standard ensures that AWS API activity is continuously monitored and centrally logged for improved security and compliance. By following the troubleshooting steps and the step-by-step guide provided, you can successfully achieve this integration and meet the regulatory requirements.