Rule: At Least One Multi-Region AWS CloudTrail
This rule requires the presence of a multi-region AWS CloudTrail in an account.
| Rule | At least one multi-region AWS CloudTrail should be present in an account |
| Framework | Federal Financial Institutions Examination Council (FFIEC) |
| Severity | ✔ Medium |
Rule Description
This rule states that there should be at least one multi-region AWS CloudTrail configured in an account for compliance with the Federal Financial Institutions Examination Council (FFIEC) requirements. CloudTrail enables auditing and monitoring of account activity and helps organizations maintain a secure environment by capturing detailed logs of events and actions performed within AWS.
Troubleshooting Steps
If there is no multi-region CloudTrail present in the account, follow these troubleshooting steps:
- 1.
Check if any CloudTrail trails exist in the account.
- Open the AWS Management Console.
- Navigate to the CloudTrail service page.
- Verify if any trails are configured.
- 2.
Ensure the CloudTrail trail is multi-region.
- Select the existing trail(s) and check if the multi-region option is enabled.
- If not, proceed to modify the trail to make it multi-region.
- 3.
Check if CloudTrail is activated and recording events.
- Validate if the CloudTrail service is active.
- Ensure that the trail is recording events and not in a paused state.
- 4.
Verify if the account is compliant with FFIEC.
- Speak with your compliance or security team to confirm if FFIEC compliance requirements are met by the CloudTrail configuration.
- Discuss any additional steps or settings required for compliance.
Necessary Code
There is no specific code required for this rule. The configuration of CloudTrail using the AWS Management Console and its settings fulfill the requirement of having a multi-region CloudTrail.
Remediation Steps
If no multi-region CloudTrail exists in the account, follow these steps for remediation:
- 1.
Open the AWS Management Console.
- 2.
Navigate to the CloudTrail service page.
- 3.
Click "Create Trail" to start the trail creation process.
- 4.
In the "Create Trail" wizard, provide a descriptive name for the trail.
- 5.
Choose the desired settings for data events and management events based on your compliance and monitoring requirements.
- 6.
Under "Storage Location," select a S3 bucket where the CloudTrail logs will be stored.
- 7.
Enable the multi-region option to ensure logs capture events from all supported regions.
- 8.
Configure advanced settings like log file encryption, trusted account relationships, and event selectors as per your organization's security needs.
- 9.
Review the settings and click "Create" to create the multi-region CloudTrail.
- 10.
Confirm that the CloudTrail is active and recording events.
- 11.
Coordinate with your compliance or security team to validate if the configuration meets FFIEC requirements.
CLI Command Guide
To configure a multi-region CloudTrail using the AWS Command Line Interface (CLI), follow these steps:
- 1.
Open the AWS CLI or a terminal.
- 2.
Run the following command to create a multi-region CloudTrail:
aws cloudtrail create-trail --name <trail-name> --s3-bucket-name <s3-bucket-name> --is-multi-region-trail --include-global-service-eventsReplace
with a descriptive name for the trail. Replace<trail-name>
with the name of the S3 bucket where the logs will be stored.<s3-bucket-name> - 3.
After trail creation, enable the trail:
aws cloudtrail start-logging --name <trail-name> - 4.
Validate the CloudTrail settings by viewing the details for the created trail:
aws cloudtrail describe-trails --trail-name-list <trail-name> - 5.
Coordinate with your compliance or security team to ensure FFIEC compliance requirements are met by the CloudTrail configuration.
Note: The AWS CLI commands provided here assume that you have properly configured the AWS CLI and have necessary permissions to create and manage CloudTrail trails.