Ensure CloudTrail Trails are Integrated with CloudWatch Logs Rule
This rule ensures that CloudTrail trails are properly integrated with CloudWatch logs for monitoring and auditing purposes.
| Rule | CloudTrail trails should be integrated with CloudWatch logs |
| Framework | HIPAA |
| Severity | ✔ Critical |
CloudTrail Integration with CloudWatch Logs for HIPAA Compliance
Integrating AWS CloudTrail with AWS CloudWatch Logs is essential for monitoring, analyzing, and retaining account activity related to actions across your AWS infrastructure, which is particularly crucial for maintaining HIPAA (Health Insurance Portability and Accountability Act) compliance.
Why Integrate CloudTrail with CloudWatch Logs for HIPAA?
HIPAA requires covered entities to have audit controls in place. Integration allows for real-time monitoring and alerting on specific events, which supports HIPAA's requirement for regular review of logs for unauthorized activities.
Prerequisites
- AWS CloudTrail enabled in your AWS account
- An existing CloudWatch Logs log group
- Suitable IAM permissions to create and manage CloudTrail and CloudWatch Logs
Detailed Steps for Integration
Step 1: Creating a Trail in CloudTrail
- 1.Go to the CloudTrail console.
- 2.Click on ‘Trails’ and then ‘Create trail’.
- 3.Name the trail and set it to apply to all regions for comprehensive coverage.
- 4.Ensure the trail is set to log management events for both read and write API activity.
Step 2: Configuring CloudWatch Logs Integration
- 1.In the same 'Create trail' interface, under 'Storage location':
- 2.Click on 'Configure' next to 'CloudWatch Logs'.
- 3.Choose an existing log group or create a new one.
- 4.Assign an IAM role or create a new one that gives CloudTrail permissions to deliver events to CloudWatch Logs.
Step 3: Creating a New Log Group (if necessary)
- 1.Go to the CloudWatch console.
- 2.Navigate to 'Logs' and click 'Create log group'.
- 3.Name the log group following a naming convention that reflects its purpose (e.g.,
).CloudTrailHIPAACompliance
Step 4: Set Retention Policy for CloudWatch Logs Group
- 1.After the log group is created, click on the newly created log group.
- 2.Choose 'Edit' in the Retention setting, and pick a retention period that aligns with HIPAA requirements (e.g., 6 years).
Troubleshooting Integration Issues
- If trails are not logging to CloudWatch Logs, verify the IAM role and policy associated with CloudTrail to ensure it has the necessary permissions.
- If logs are not visible in CloudWatch Logs, check the trails' configuration to ensure the correct log group is selected.
- Ensure that no resource-based policies or encryption settings are preventing log data from being sent to CloudWatch Logs.
Necessary IAM Policy
Below is a sample JSON policy that grants CloudTrail permission to write logs to CloudWatch Logs:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AWSCloudTrailCreateLogStream",
"Effect": "Allow",
"Action": "logs:CreateLogStream",
"Resource": "arn:aws:logs:REGION:ACCOUNT_ID:log-group:LOG_GROUP_NAME:*"
},
{
"Sid": "AWSCloudTrailPutLogEvents",
"Effect": "Allow",
"Action": "logs:PutLogEvents",
"Resource": "arn:aws:logs:REGION:ACCOUNT_ID:log-group:LOG_GROUP_NAME:*:log-stream:*"
}
]
}
Replace
REGIONACCOUNT_IDLOG_GROUP_NAMEFinalizing HIPAA Compliance
It’s imperative to implement continuous monitoring and establish alerts for anomalous activities using metric filters and alarms in CloudWatch.
To establish HIPAA compliance:
- 1.Define metric filters to extract and monitor specific events from the log data.
- 2.Set up CloudWatch alarms to notify you when certain threshold conditions are met.
Ensuring that CloudTrail and CloudWatch Logs are properly integrated and configured helps maintain HIPAA compliance by securing PHI (Protected Health Information), proactively identifying and responding to security incidents, and maintaining necessary access logs.
This guide provides an overview and concise steps for integrating CloudTrail with CloudWatch Logs for HIPAA compliance. Always consult the latest AWS documentation and HIPAA guidelines when implementing compliance measures to ensure all requirements are met.