Rule: At least one enabled trail should be present in a region
This rule ensures the presence of at least one enabled trail in a specific region.
| Rule | At least one enabled trail should be present in a region |
| Framework | NIST 800-53 Revision 4 |
| Severity | ✔ Low |
Rule Description:
The rule requires that at least one enabled trail is present in each region, in compliance with the NIST 800-53 Revision 4 security framework. A trail is a configuration that enables AWS CloudTrail, a service that provides a detailed record of actions performed within an AWS account, including actions taken by AWS Management Console, AWS Command Line Interface (CLI), or AWS SDKs. This rule ensures that there is an audit trail for tracking changes, monitoring user activity, and investigating security incidents.
Troubleshooting Steps:
If there is no enabled trail in a region, you can follow these troubleshooting steps to address the issue:
- 1.
Verify the presence of trails: Check if there are any existing trails in the region. You can do this by navigating to the CloudTrail service in the AWS Management Console and selecting the region in question. Look for a list of trails on the "Trails" page. If no trails are present, proceed to the next step.
- 2.
Create a new trail: To create a new trail, click on the "Create trail" button. Provide a name for the trail and select the desired settings for logging, storage, and management. Ensure that the trail is enabled to comply with the rule. Make sure to configure the appropriate level of details for logging, including capturing management events. Click on "Create" to create the trail.
- 3.
Enable existing trail: If there are trails present in the region but not enabled, select the trail from the list and click on "Edit" to modify the trail settings. Enable the trail by checking the "Enable" checkbox and save the changes.
Necessary Codes:
There are no specific codes required for this rule. The steps mentioned above can be performed manually through the AWS Management Console.
Step-by-Step Guide for Remediation:
Follow these step-by-step instructions to remediate the issue:
- 1.
Log in to the AWS Management Console.
- 2.
Navigate to the CloudTrail service.
- 3.
Select the desired region that lacks an enabled trail.
- 4.
Check if there are any existing trails. If there are no trails present, proceed to step 5. Otherwise, if there are existing but disabled trails, skip to step 7.
- 5.
Click on the "Create trail" button.
- 6.
Provide a name for the trail, configure the desired settings, and make sure to enable the trail.
- 7.
If there are existing trails that are disabled, select the trail from the list.
- 8.
Click on "Edit" to modify the trail settings.
- 9.
Enable the trail by checking the "Enable" checkbox.
- 10.
Save the changes.
- 11.
Repeat these steps for any other regions where an enabled trail is not present.
By following these steps, you ensure compliance with the NIST 800-53 Revision 4 requirement of having at least one enabled trail in each region. The trails will provide an audit trail for tracking actions within your AWS account and aid in security investigations.