Ensure CloudTrail Trails are Integrated with CloudWatch Logs Rule
This rule requires CloudTrail trails to be integrated with CloudWatch logs for enhanced system and information integrity.
| Rule | CloudTrail trails should be integrated with CloudWatch logs |
| Framework | FedRAMP Moderate Revision 4 |
| Severity | ✔ Critical |
CloudTrail Trails Integration with CloudWatch Logs for FedRAMP Moderate Revision 4
Overview
Integrating AWS CloudTrail with CloudWatch Logs is essential for maintaining compliance with the Federal Risk and Authorization Management Program (FedRAMP) Moderate Impact Level Revision 4. This ensures that activities within your AWS environment are continuously monitored, logged, and retained to meet the necessary auditing and security requirements.
Benefits of Integration
- Real-Time Monitoring: CloudWatch provides real-time monitoring of CloudTrail logs.
- Search and Filtering: Allows searching and filtering of log data for quick issue identification and analysis.
- Alerting: CloudWatch Alarms can notify you of specific events or suspicious activities.
- Retention Policies: Ensures log data is retained for the required period as specified by FedRAMP standards.
Prerequisites
- An AWS account with necessary permissions.
- An existing CloudTrail trail.
- Proper IAM roles or policies allowing the integration.
Integration Steps
Step 1: Create a New Log Group in CloudWatch
aws logs create-log-group --log-group-name MyLogGroup
Replace
MyLogGroupStep 2: Create a New IAM Role for CloudWatch Logs
This IAM role permits CloudTrail to send logs to CloudWatch.
Create Policy Document
Create a document named
TrustPolicyForCloudWatch.json{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {"Service": "cloudtrail.amazonaws.com"},
"Action": "sts:AssumeRole"
}
]
}
Create the IAM Role
aws iam create-role \ --role-name CWLRoleForCloudTrail \ --assume-role-policy-document file://TrustPolicyForCloudWatch.json
Attach Policy to Role
Attach the policy that grants the necessary permissions to write logs to CloudWatch.
aws iam put-role-policy \ --role-name CWLRoleForCloudTrail \ --policy-name CWLTrail_Policy \ --policy-document file://PolicyForCloudWatch.json
The
PolicyForCloudWatch.jsonStep 3: Update the CloudTrail Trail
Enable the trail to log to CloudWatch Logs by specifying the log group and the role.
aws cloudtrail update-trail \ --name MyExistingTrail \ --cloud-watch-logs-log-group-arn arn:aws:logs:region:account-id:log-group:MyLogGroup \ --cloud-watch-logs-role-arn arn:aws:iam::account-id:role/CWLRoleForCloudTrail
Replace
MyExistingTrailregionaccount-idMyLogGroupStep 4: Verify the Integration
Confirm that CloudTrail logs are appearing in CloudWatch Logs.
aws logs filter-log-events --log-group-name MyLogGroup
Troubleshooting Steps
- Permission Issues: Ensure the IAM role and policies are correctly configured to allow CloudTrail to publish to CloudWatch.
- Log Delivery Delays: Some delays from CloudTrail to CloudWatch are normal. Wait for a few minutes and check again.
- Misconfigured Trails: Make sure that your CloudTrail trail is properly configured to log the necessary events.
- Check Status: Check the integration status with AWS Health or Service Health Dashboard for any reported issues.
Remediation of Common Issues
If logs are not appearing in CloudWatch:
- Confirm that the IAM Role exists and the Trust Relationship is correctly set.
- Ensure the policy attached to the IAM Role contains the correct permissions.
- Verify the log group name and the role ARN in the CloudTrail update command.
Continuously monitor the integration using AWS Config rules or other compliance tools to ensure it remains active and functional for meeting FedRAMP requirements.