Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Rule: Ensure presence of multi-region AWS CloudTrail

This rule ensures at least one multi-region AWS CloudTrail is present in the account.

RuleAt least one multi-region AWS CloudTrail should be present in an account
FrameworkFedRAMP Moderate Revision 4
Severity
Medium

Rule Description

This rule ensures that at least one multi-region AWS CloudTrail is present in an account to comply with the FedRAMP Moderate Revision 4 requirements. AWS CloudTrail is a service that helps monitor, log, and retain account activity related to actions across your AWS infrastructure. A multi-region setup increases the reliability and availability of CloudTrail logs by creating copies of the logs in multiple AWS regions, reducing the risk of data loss or service interruptions.

Troubleshooting Steps (if applicable)

If you encounter issues while setting up or managing the multi-region AWS CloudTrail, you can follow the steps below to troubleshoot:

  1. 1.

    Ensure that you have the necessary permissions: Check that your IAM user or role has the required privileges to create and configure CloudTrail. You need permissions to work with AWS CloudTrail, S3, and CloudWatch.

  2. 2.

    Confirm your AWS Region availability: Verify that the AWS region you intend to set up CloudTrail in supports multi-region log replication. Not all AWS regions have this capability.

  3. 3.

    Check CloudTrail limits: Ensure that you haven't reached the service limits for AWS CloudTrail. Each AWS account has specific limits on the number of trails, trail names, and configuration settings.

  4. 4.

    Validate S3 bucket permissions: Verify that the S3 bucket where the CloudTrail logs will be stored has the appropriate permissions. The IAM user or role should have the necessary access to the S3 bucket to write logs.

Necessary Code (if applicable)

If you prefer to use AWS Command Line Interface (CLI) to create the multi-region AWS CloudTrail, you can use the following code template:

aws cloudtrail create-trail 
  --name <trail-name> 
  --s3-bucket-name <bucket-name> 
  --is-multi-region 
  --enable-log-file-validation 
  --include-global-service-events 
  --region <region-name>

Replace the placeholders

<trail-name>
,
<bucket-name>
, and
<region-name>
with your desired values.

Step-by-Step Guide for Remediation

To set up a multi-region AWS CloudTrail in compliance with FedRAMP Moderate Revision 4, follow these steps:

  1. 1.

    Log in to the AWS Management Console.

  2. 2.

    Open the AWS CloudTrail service.

  3. 3.

    Click on "Trails" in the left sidebar.

  4. 4.

    Click the "Create trail" button.

  5. 5.

    Provide a meaningful name for the trail in the "Trail name" field.

  6. 6.

    Select an existing S3 bucket or click "Create a new S3 bucket." If creating a new bucket, provide a unique bucket name.

  7. 7.

    Enable the "Apply trail to all regions" option to ensure multi-region log replication.

  8. 8.

    Enable the "Enable log file validation" option to automatically verify the integrity of your logs.

  9. 9.

    (Optional) Enable the "Include global services" option to record AWS service events that occur in the global (non-region-specific) endpoint.

  10. 10.

    Select the appropriate regions to include. Ensure that at least one region is selected for multi-region compliance.

  11. 11.

    Click the "Create" button to create the CloudTrail trail.

  12. 12.

    Validate the S3 bucket permissions and ensure the IAM user or role used for CloudTrail creation has write access to the bucket.

Once the CloudTrail trail is created, it will start recording the specified account activity in the chosen regions. The logs will be stored in the specified S3 bucket, with multi-region log replication enabled to ensure data redundancy and availability.

Make sure to regularly monitor the CloudTrail logs for any suspicious activities or anomalies to ensure the security and compliance of your AWS resources.

Note: It is imperative to understand the specific requirements of your FedRAMP Moderate Revision 4 compliance and consult with AWS documentation or security experts if required.

Is your System Free of Underlying Vulnerabilities?
Find Out Now