Rule: At Least One Trail Should Be Enabled with Security Best Practices
This rule highlights ensuring at least one trail is enabled with security best practices.
| Rule | At least one trail should be enabled with security best practices |
| Framework | NIST 800-171 Revision 2 |
| Severity | ✔ High |
Rule Description
This rule requires that at least one trail is enabled with security best practices for NIST 800-171 Revision 2. NIST 800-171 is a set of security guidelines established by the National Institute of Standards and Technology (NIST) to protect Controlled Unclassified Information (CUI) in non-federal information systems and organizations.
By enabling a trail with security best practices for NIST 800-171 Revision 2, organizations can ensure proper monitoring and auditability of activities within their systems, enhancing the overall security posture and compliance with regulatory requirements.
Troubleshooting Steps
If the rule is not being met, you can follow the troubleshooting steps below to identify and resolve the issue:
- 1.
Check for Enabled Trails: Verify if there are any existing trails enabled within your environment. Use the AWS Command Line Interface (CLI) or AWS Management Console to view the list of trails.
- 2.
Confirm NIST 800-171 Compliance: Ensure that the enabled trail(s) are configured to comply with the NIST 800-171 Revision 2 security practices. Review the specific requirements outlined in the NIST documentation to validate the compliance of your trails.
- 3.
Enable a Trail with NIST 800-171 Best Practices: If no trail is currently enabled or none of the existing trails meet the NIST 800-171 security practices, you need to create or modify a trail to include these best practices. Follow the remediation steps outlined below.
Remediation Steps
To meet the requirements of this rule, follow the step-by-step guide below for enabling a trail with NIST 800-171 best practices:
- 1.
Open AWS Management Console: Login to the AWS Management Console with appropriate credentials.
- 2.
Navigate to CloudTrail: Click on the "Services" dropdown and select "CloudTrail" under "Management & Governance" or search for "CloudTrail" in the search bar.
- 3.
Create a new trail or modify existing trail: If you do not have any existing trails meeting NIST 800-171 best practices, click on the "Trails" tab and select "Create trail". Follow the on-screen instructions to configure the trail with the required settings.
- Trail Name: Provide an appropriate name for the trail, such as "NIST800171Trail".
- Apply trail to all regions: Select the checkbox if you want the trail to be active in all regions.
- Management events: Enable "Read-only" and "Write-only" management events to track API activities related to your AWS resources.
- Data events: Enable tracking of data events for services storing CUI, such as S3, Lambda, etc.
- Storage location: Select an S3 bucket where the trail logs will be stored securely.
- Encryption: Enable encryption of trail logs using AWS Key Management Service (AWS KMS).
- CloudWatch Logs: Configure integration with CloudWatch Logs for real-time monitoring and analysis of trail logs.
- 4.
Review and Enable the Trail: Review the trail settings, ensuring that they align with NIST 800-171 Revision 2 guidelines. Finally, click on "Create trail" or "Save" to enable the trail.
- 5.
Periodic Monitoring: Regularly check the CloudTrail dashboard to monitor the generated logs and identify any notable events or anomalies.
Following these steps, you will have successfully enabled a trail with security best practices for NIST 800-171 Revision 2 in your AWS environment. This helps ensure compliance and strengthens the overall security posture of your infrastructure.