Rule: At Least One Trail Should Be Enabled with Security Best Practices
This rule ensures that at least one trail is enabled with security best practices, promoting system and communications protection.
| Rule | At least one trail should be enabled with security best practices |
| Framework | NIST 800-171 Revision 2 |
| Severity | ✔ High |
Rule Description:
This rule mandates that at least one trail should be enabled with security best practices for NIST 800-171 Revision 2 compliance. NIST (National Institute of Standards and Technology) has established a set of security requirements that organizations must adhere to in order to protect controlled unclassified information (CUI). Enabling a trail with security best practices ensures that any potential security incidents or unauthorized access to CUI can be effectively monitored, audited, and investigated.
Troubleshooting steps:
If the trail is not enabled, follow these troubleshooting steps:
- 1.
Verify the AWS account: Ensure that you have the necessary permissions to enable trails with security best practices. You must have the appropriate IAM (Identity and Access Management) roles or access privileges to modify or create trails.
- 2.
Check existing trails: Determine if there are any existing trails that are not enabled with security best practices. You can list all the trails in your AWS account using the AWS Command Line Interface (CLI) or the AWS Management Console.
- 3.
Review trail settings: If there are existing trails, review their configurations to verify if security best practices for NIST 800-171 Revision 2 are applied. Pay attention to the log file validation settings, encryption settings, and log retention periods. Ensure that they align with the security requirements.
- 4.
Enable the necessary trails: If no trails are enabled or none of the existing trails meet the security best practices of NIST 800-171 Revision 2, create a new trail following the below steps.
Necessary Codes:
AWS CLI command to create a new trail:
aws cloudtrail create-trail --name <trail-name> --s3-bucket-name <bucket-name> --enable-log-file-validation --is-multi-region-trail --include-global-service-events --enable-log-file-validation
Replace
<trail-name><bucket-name>Step-by-step guide for remediation:
- 1.
Log in to the AWS Management Console.
- 2.
Navigate to the CloudTrail service.
- 3.
Click on "Trails" in the left navigation pane.
- 4.
Review the list of existing trails. If there are no trails or none of them meet the security best practices for NIST 800-171 Revision 2, proceed to creating a new trail.
- 5.
Click on "Create trail".
- 6.
Provide a unique name for your trail in the "Trail name" field.
- 7.
Select the desired S3 bucket from the dropdown menu in the "Storage location" field. If you don't have an existing bucket, click on the "Create a new S3 bucket" link to create one.
- 8.
Ensure that the "Enable log file validation" option is checked to adhere to the security best practices. This ensures the integrity of the trail's log files.
- 9.
Check the "Multi-Region" option if you want the trail to collect logs from all regions. This is useful if your AWS resources are distributed across multiple regions.
- 10.
Check the "Include global services" option if you want the trail to collect logs from global AWS services.
- 11.
Review other settings and make any necessary configurations such as encryption and log retention period.
- 12.
Click on the "Create" button to create the trail.
- 13.
Once the trail is created, it will start capturing the necessary logs according to the defined settings.
By following these steps and enabling a trail with NIST 800-171 Revision 2 security best practices, your organization will be better equipped to monitor and audit any potential security incidents or unauthorized access to CUI.