Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Rule: CloudTrail trails should be integrated with CloudWatch logs

This rule ensures that CloudTrail trails are integrated with CloudWatch logs for enhanced monitoring and security measures.

RuleCloudTrail trails should be integrated with CloudWatch logs
FrameworkFederal Financial Institutions Examination Council (FFIEC)
Severity
Critical

CloudTrail Integration with CloudWatch Logs for FFIEC Compliance

Integrating AWS CloudTrail with CloudWatch Logs is crucial for financial institutions that need to be compliant with the Federal Financial Institutions Examination Council (FFIEC) guidelines. This configuration ensures the ability to continuously monitor, record, and retain account activity related to actions across your AWS infrastructure, providing a key component of an effective security and compliance regime.

Benefits of Integration

  • Real-time Monitoring: Continuous surveillance of user and resource activity.
  • Event History: Documentation of historical data for security analysis and compliance auditing.
  • Automated Responses: Triggering alarms and automated actions based on specific events.

Prerequisites

  • AWS account with required permissions.
  • Existing CloudTrail trail and CloudWatch Logs log group (or the permissions to create them).

Step 1: Create/Select a CloudTrail Trail

Ensure you have a CloudTrail trail set up. If not, create one by:

aws cloudtrail create-trail --name YourTrailName --s3-bucket-name YourS3BucketName

Step 2: Create/Select CloudWatch Log Group

If you don't already have a CloudWatch Log Group created, establish one using:

aws logs create-log-group --log-group-name YourLogGroupName

Step 3: Integrate CloudTrail with CloudWatch Logs

Associate CloudTrail with CloudWatch Logs:

aws cloudtrail put-event-selectors --trail-name YourTrailName --event-selectors file://event-selectors.json

In

event-selectors.json
, specify the resources and types of events to record.

Create a new IAM role for the logs:

This IAM role allows CloudTrail to send logs to CloudWatch.

# Create a policy file with the required permissions (policy.json)
# Attach the policy to the IAM role
aws iam create-role --role-name CloudTrail_CloudWatchLogs_Role --assume-role-policy-document file://trust-policy.json
aws iam put-role-policy --role-name CloudTrail_CloudWatchLogs_Role --policy-name CloudTrail_CloudWatchLogs_Policy --policy-document file://policy.json

Ensure

policy.json
and
trust-policy.json
have the correct permissions and trust relationships set up.

Update the trail to use the new role and log group:

aws cloudtrail update-trail --name YourTrailName --cloud-watch-logs-log-group-arn arn:aws:logs:region:account-id:log-group:YourLogGroupName --cloud-watch-logs-role-arn arn:aws:iam::account-id:role/CloudTrail_CloudWatchLogs_Role

Step 4: Configure Monitoring and Alarms

With the integration complete, you can now create metric filters and alarms to monitor specific activity. For instance:

# Create a metric filter
aws logs put-metric-filter --log-group-name YourLogGroupName --filter-name "FilterName" --filter-pattern '{($.errorCode = "*UnauthorizedOperation") || ($.errorCode = "AccessDenied*")}' --metric-transformations metricName=ExampleMetric,metricNamespace='CloudTrailMetrics',metricValue=1

# Create an alarm
aws cloudwatch put-metric-alarm --alarm-name "UnauthorizedActivityAlarm" --metric-name ExampleMetric --namespace 'CloudTrailMetrics' --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --alarm-actions arn:aws:sns:region:account-id:alarm-topic

Troubleshooting Steps

If you encounter issues with the integration:

  1. 1.
    Check IAM role and policy: Make sure that the IAM role has correct permissions and is correctly assumed by CloudTrail.
  2. 2.
    Validate CloudTrail configuration: Verify that CloudTrail is correctly configured and is actively monitoring the AWS account.
  3. 3.
    Inspect CloudWatch Logs: Ensure that CloudTrail events are visible in the CloudWatch Logs log group.
  4. 4.
    Check metric filters and alarms: Verify that filters and alarms are correctly configured to monitor for the desired events.

Following these steps will help meet FFIEC compliance by establishing the necessary audit trails and real-time monitoring of AWS environments. Remember that while this guide is detailed, it might require custom adjustments to fit specific organizational needs and compliance requirements.

Is your System Free of Underlying Vulnerabilities?
Find Out Now