Login

Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Rule: CloudTrail trails should be integrated with CloudWatch logs

This rule ensures CloudTrail trails are integrated with CloudWatch logs.

RuleCloudTrail trails should be integrated with CloudWatch logs
FrameworkNIST 800-171 Revision 2
Severity
Critical

Rule Description:

CloudTrail trails should be integrated with CloudWatch logs to maintain compliance with the NIST 800-171 Revision 2 security standard. This integration helps to improve visibility and monitor any suspicious activities or unauthorized access to AWS resources. By enabling this integration, organizations can meet the requirements for auditing and logging outlined in the NIST 800-171 security framework.

Troubleshooting Steps:

If there are any issues with integrating CloudTrail trails with CloudWatch logs, follow these troubleshooting steps:

  2. 1.
    Verify CloudTrail and CloudWatch Logs are both enabled in the AWS Management Console.
  4. 2.
    Ensure that the CloudTrail trail and CloudWatch log group are in the same AWS region.
  6. 3.
    Confirm that the IAM role associated with the CloudTrail trail has the necessary permissions to write logs to the CloudWatch log group.
  8. 4.
    Check the CloudTrail and CloudWatch Logs configuration for any misconfigurations or errors.
  10. 5.
    Review the CloudTrail and CloudWatch logs for any error messages or warnings that could indicate issues with the integration.
  12. 6.
    If the issue persists, consult AWS support or the AWS community forums for further assistance.

Necessary Codes:

The following AWS CLI command can be used to enable integration between CloudTrail and CloudWatch Logs:

aws cloudtrail update-trail --name <trail-name> --cloud-watch-logs-delivery-enabled --cloud-watch-logs-log-group-arn <log-group-arn>

Replace 

<trail-name>
with the name of the CloudTrail trail you want to integrate, and 
<log-group-arn>
with the ARN (Amazon Resource Name) of the CloudWatch log group where you want to store the logs.

Step-by-Step Guide for Remediation:

Follow these steps to enable CloudTrail integration with CloudWatch Logs for NIST 800-171 Revision 2 compliance:

  2. 1.
    Log in to the AWS Management Console.
  4. 2.
    Open the CloudTrail service.
  6. 3.
    Select the CloudTrail trail that needs to be integrated with CloudWatch Logs.
  8. 4.
    Click on the "Actions" dropdown and choose "Edit trail" to modify the trail settings.
  10. 5.
    In the "Storage location" section, check if CloudWatch logs are already enabled. If not, enable it by selecting the checkbox.
  12. 6.
    In the "Log group ARN" field, enter the ARN of the CloudWatch log group where you want to store the CloudTrail logs.
  14. 7.
    Click on "Save" to update the trail settings.
  16. 8.
    Verify that the integration is successful by reviewing the CloudWatch log group associated with the CloudTrail trail.
  18. 9.
    Monitor the CloudWatch Logs for any suspicious activities or unauthorized access to AWS resources.
  20. 10.
    Ensure that the CloudTrail trail remains configured to send logs to the CloudWatch log group for continuous compliance with NIST 800-171 Revision 2.

Note: The above steps assume that you have already set up a CloudWatch log group. If not, create a log group before enabling CloudTrail integration.

Remember to regularly review the logs and ensure proper retention and data protection measures are in place as per your organization's security policies.

By following these steps, you can successfully integrate CloudTrail trails with CloudWatch Logs to meet the logging and auditing requirements of the NIST 800-171 Revision 2 security standard.

Is your System Free of Underlying Vulnerabilities?
Find Out Now