Rule: At Least One Multi-Region AWS CloudTrail
This rule ensures the presence of a multi-region AWS CloudTrail in an account.
| Rule | At least one multi-region AWS CloudTrail should be present in an account |
| Framework | General Data Protection Regulation (GDPR) |
| Severity | ✔ Medium |
Rule Description
This rule ensures compliance with General Data Protection Regulation (GDPR) requirements by stating that at least one multi-region AWS CloudTrail should be present in an account. AWS CloudTrail enables centralized logging and monitoring of API activity across your AWS account, providing visibility into actions performed by users, services, and resources.
Troubleshooting Steps
If there is no multi-region AWS CloudTrail present in the account, follow these troubleshooting steps to ensure compliance with the GDPR requirements:
- 1.
Verify CloudTrail Configuration: Check if CloudTrail is already enabled in your AWS account by navigating to the CloudTrail service in the AWS Management Console. If it is enabled, proceed to the next step. If not, proceed with the following steps.
- 2.
Create a New CloudTrail Trail: Click on the "Trails" tab within the CloudTrail service and then click on the "Create trail" button. Configure the trail to capture log files from multiple regions.
- 3.
Specify a S3 bucket for log storage: Select the Amazon S3 bucket where the CloudTrail logs will be stored. Make sure to choose a bucket that is located in a different region than the one you are monitoring.
- 4.
Enable Multi-Region Logging: Under the "Storage location" section, enable the option for multi-region logging. This ensures that CloudTrail logs are stored in the selected S3 bucket across all AWS regions.
- 5.
Configure Additional Settings: Configure any additional settings required, such as log file encryption and log file validation.
- 6.
Enable the Trail: Once all the necessary settings are configured, click on the "Create" button to enable the CloudTrail trail.
- 7.
Validate Multi-Region CloudTrail: Verify that the new multi-region CloudTrail has been created successfully by checking the "Trails" tab within the CloudTrail service. Ensure that the new trail is capturing and storing logs from multiple regions.
Necessary Codes
No specific code snippets are required for this rule, as it involves configuration steps within the AWS Management Console.
Step-by-Step Guide for Remediation
Follow the step-by-step guide below to remediate the non-compliance with the GDPR requirement of having at least one multi-region AWS CloudTrail present in an account:
- 1.
Navigate to the AWS Management Console and search for the "CloudTrail" service.
- 2.
Click on the "Trails" tab within the CloudTrail service.
- 3.
If there are no existing trails present, click on the "Create trail" button. If there are existing trails, select the trail that is not multi-region and then click on "Edit" to modify it.
- 4.
Provide a name for the new trail (or update the existing trail name) that reflects its purpose, such as "Multi-Region-CloudTrail".
- 5.
Select the Amazon S3 bucket where the CloudTrail logs will be stored. Ensure that the selected bucket is located in a different region than the one you are monitoring.
- 6.
Enable the option for multi-region logging under the "Storage location" section.
- 7.
Configure any additional settings required, such as log file encryption and log file validation.
- 8.
Click on the "Create" or "Save" button to enable the CloudTrail trail with multi-region logging.
- 9.
Verify the successful creation/modification of the multi-region CloudTrail by checking the "Trails" tab within the CloudTrail service. Ensure that the new trail is capturing and storing logs from multiple regions.
By following these steps, you have successfully remediated the non-compliance by creating or modifying a multi-region AWS CloudTrail in your AWS account for GDPR requirements.