Rule: CloudTrail trails should be integrated with CloudWatch logs
This rule ensures integration of CloudTrail trails with CloudWatch logs for better monitoring.
| Rule | CloudTrail trails should be integrated with CloudWatch logs |
| Framework | NIST 800-171 Revision 2 |
| Severity | ✔ Critical |
Rule Description
Enabling CloudTrail integration with CloudWatch Logs ensures that your organization complies with the NIST 800-171 Revision 2 standard. CloudTrail captures and logs all API activity within your AWS account, while CloudWatch Logs provides the centralized storage and analysis of these logs.
Troubleshooting Steps
1. Verify CloudTrail Configuration
- Check if CloudTrail is enabled globally or within specific regions.
- Ensure that the CloudTrail trail(s) that capture API activities are defined and operational.
2. Check CloudWatch Logs Configuration
- Confirm if the necessary CloudWatch Logs group(s) for CloudTrail are created.
- Validate that the CloudTrail trail's settings are configured to enable integration with CloudWatch Logs.
3. Verify IAM Permissions
- Ensure that the IAM role associated with CloudTrail has sufficient permissions to write logs to CloudWatch Logs.
- Check if the required IAM policies are attached to the IAM role.
4. Verify CloudWatch Logs Subscription
- Confirm that the subscription filter for CloudTrail logs to CloudWatch Logs is properly configured.
- Ensure that the subscription filter is actively delivering logs to the correct CloudWatch Logs group.
5. Check CloudWatch Log Retention
- Validate the retention period of CloudWatch Logs for CloudTrail events.
- Ensure that the retention period meets the compliance requirements of NIST 800-171 Revision 2.
Necessary Code
No specific code is required for the integration of CloudTrail with CloudWatch Logs.
Step-by-Step Guide for Remediation
- 1.
Access the AWS Management Console and log in to your AWS account.
- 2.
Open the CloudTrail service from the services menu.
- 3.
Ensure that CloudTrail is enabled globally or within the desired regions for compliance.
- 4.
Review the existing trails and their status. Create a new trail if necessary.
- 5.
For each trail, check if the "CloudWatch Logs" setting is enabled. If not, click on the trail name and then click on the "Edit" button.
- 6.
In the "Trail details" section, scroll down to the "CloudWatch Logs" section.
- 7.
Enable the "Create a new CloudWatch log group" option or select an existing log group.
- 8.
Click on "Save" to apply the changes.
- 9.
Check if the IAM role used by CloudTrail has sufficient permissions by navigating to "IAM" from the services menu.
- 10.
Select "Roles" from the left sidebar and search for the CloudTrail role.
- 11.
Verify if the required policies, such as "CloudTrailToCloudWatchLogs" or custom policies for CloudWatch Logs access, are attached to the role.
- 12.
If needed, add or edit the necessary policies to grant CloudTrail permissions to write logs to CloudWatch Logs.
- 13.
Confirm that CloudWatch Logs groups for CloudTrail are created by opening the CloudWatch service from the services menu.
- 14.
Select "Logs" from the left sidebar and search for the log group associated with CloudTrail.
- 15.
If the log group does not exist, create a new log group with an appropriate name.
- 16.
Ensure that the log group's retention period complies with the requirements of NIST 800-171 Revision 2.
- 17.
Review the subscription filter configuration for CloudTrail logs by selecting the log group.
- 18.
Click on the "Actions" button and select "Stream to AWS Lambda" or "Stream to Amazon Elasticsearch Service" based on your requirements.
- 19.
Configure the necessary details for the stream and click on "Start Streaming" to begin the subscription.
- 20.
Monitor the CloudTrail logs to ensure they are delivered to the CloudWatch Logs group effectively.
By following these steps, you can integrate CloudTrail with CloudWatch Logs to meet the requirements of NIST 800-171 Revision 2.