Rule: CloudTrail trails should be integrated with CloudWatch logs

Rule Description:

Rule Details:

2. 1.

   Enable CloudTrail service:

   • Open the AWS Management Console and navigate to the CloudTrail service.
   • Click on "Trails" in the left navigation pane.
   • Choose an existing trail or create a new one.
   • Ensure that the trail is configured to record all desired regions and resources.
   • Enable the trail if not already enabled.
4. 2.

   Create a CloudWatch log group:

   • Open the AWS Management Console and navigate to the CloudWatch service.
   • Click on "Log groups" in the left navigation pane.
   • Create a new log group with an appropriate name and retention settings.
   • Ensure the log group conforms to the GxP 21 CFR Part 11 requirements.
6. 3.

   Configure CloudTrail log delivery to CloudWatch logs:

   • Go back to the CloudTrail service in the AWS Management Console.
   • Click on "Trails" in the left navigation pane.
   • Click on the desired trail to navigate to its configuration page.
   • Scroll down to the "CloudWatch Logs" section.
   • Select the log group created in Step 2 from the dropdown menu.
   • Save the changes.
8. 4.

   Verify CloudTrail and CloudWatch log integration:

   • Go back to the CloudTrail service in the AWS Management Console.
   • Click on "Events" in the left navigation pane.
   • Select the desired trail from the list.
   • Wait for a few minutes for events to be recorded and delivered to the log group.
   • Open the CloudWatch service in the AWS Management Console.
   • Click on "Log groups" in the left navigation pane.
   • Locate the log group created in Step 2 and click on its name.
   • Verify that the CloudTrail logs are present and accessible.

Troubleshooting Steps:

2. 1.

   Ensure proper access permissions: Make sure the IAM role used by CloudTrail has the necessary permissions to deliver logs to CloudWatch logs.

4. 2.

   Verify log group settings: Double-check the log group configuration, including the retention period, log stream names, and any applicable filters.

6. 3.

   Check trail configuration: Review the CloudTrail trail settings and confirm that the correct log group is selected for log delivery.

8. 4.

   Verify CloudWatch log access: Ensure that the IAM role used by CloudWatch logs has access permissions to write logs to the specified log group.

10. 5.

    Examine CloudTrail events: Check if there are any errors or warnings in the CloudTrail event history that indicate issues with log delivery.

12. 6.

    Check CloudWatch log group capacity: If the log group has reached its capacity limit, consider increasing the retention period or deleting older logs to make room for new logs.

14. 7.

    Monitor CloudTrail and CloudWatch service health: Stay updated with any service notifications or disruptions that might affect log integration.

Necessary Codes:

Remediation Steps:

2. 1.

   Identify the cause: Review the troubleshooting steps outlined above to identify the specific issue affecting the CloudTrail and CloudWatch log integration.

4. 2.

   Address access permissions: If access permissions are incorrect, modify the IAM roles associated with CloudTrail and CloudWatch to ensure they have the necessary permissions for log delivery.

6. 3.

   Adjust log group settings: If the log group configuration needs adjustment, modify the log group's retention period, filters, or other settings as required.

8. 4.

   Verify and reconfigure trail: Double-check the CloudTrail trail configuration to confirm that the correct log group is selected for log delivery. Update the trail's settings if necessary.

10. 5.

    Monitor for compliance: Regularly check the CloudWatch logs to ensure that CloudTrail events are being delivered properly and that the logs meet the GxP 21 CFR Part 11 compliance requirements.