Rule: At Least One Enabled Trail in a Region
This rule ensures the presence of at least one enabled trail in a specific region.
| Rule | At least one enabled trail should be present in a region |
| Framework | NIST 800-171 Revision 2 |
| Severity | ✔ Low |
Rule Description:
This rule ensures that there is at least one enabled trail present in a specified region to comply with the NIST 800-171 Revision 2 security framework. The NIST 800-171 Revision 2 provides guidelines for protecting the confidentiality of Controlled Unclassified Information (CUI) stored in nonfederal systems.
Troubleshooting Steps:
- 1.Check CloudTrail service: Verify that CloudTrail is enabled in your AWS account for the target region.
- 2.Confirm Trail configuration: Check the configuration settings for your CloudTrail trails in the specified region and ensure that at least one trail is enabled.
- 3.Review CloudTrail logs: If trails are present but none are enabled, review the CloudTrail logs to identify any issues or errors preventing trail enablement.
- 4.Verify IAM user permissions: Ensure that the IAM user used to enable the trail has sufficient permissions to access the CloudTrail service and modify trail settings.
- 5.Check for resource limitations: Verify that you have not reached any resource limitations that may inhibit trail creation or enablement.
Necessary Code:
No code required for this particular rule.
Remediation:
To ensure compliance with the rule and meet the requirements of NIST 800-171 Revision 2, follow these steps:
- 1.
Login to AWS Management Console: Access the AWS Management Console using the appropriate credentials.
- 2.
Open CloudTrail service: Navigate to the CloudTrail service by searching for it in the services menu or by clicking here.
- 3.
Choose the target region: Ensure that you are in the correct region for which the rule applies by selecting it from the region selector in the top right corner.
- 4.
Verify existing trails: In the CloudTrail dashboard, review the list of existing trails displayed. If there are no trails or only disabled trails, continue to the next step.
- 5.
Create a new trail: Click on the "Create Trail" button to create a new trail.
- 6.
Specify settings for the trail:
a. Trail name: Provide an appropriate name for the trail, such as "ComplianceTrail".
b. Apply trail to all regions: Choose whether the trail should apply to all regions or only the current region.
c. Management events: Select the events you want to log for management operations.
d. Data events: Choose the S3 buckets and Lambda functions for which you want to log data events.
- 7.
Enable the trail: Ensure that the "Enable log file validation" checkbox is checked, indicating that the trail will be enabled upon creation.
- 8.
Specify storage location: Choose the appropriate Amazon S3 bucket to store the CloudTrail logs. You can create a new bucket or select an existing one.
- 9.
Configure advanced settings: If necessary, configure advanced settings such as KMS encryption, CloudWatch Logs integration, or tags for the trail.
- 10.
Review and create the trail: Double-check all the settings and configurations for the trail. Once satisfied, click on the "Create" button to create the trail.
- 11.
Verify trail status: After a few minutes, revisit the CloudTrail dashboard and verify that the newly created trail is now enabled and its status is active.
- 12.
Repeat if necessary: If you have multiple regions that require compliance with the NIST 800-171 Revision 2, repeat the above steps for each respective region.
CLI Command:
No CLI commands are necessary for this particular rule.