Rule: CloudTrail trails should be integrated with CloudWatch logs
Ensure CloudTrail trails are integrated with CloudWatch logs for improved monitoring.
| Rule | CloudTrail trails should be integrated with CloudWatch logs |
| Framework | NIST 800-53 Revision 4 |
| Severity | ✔ Critical |
Rule Description:
CloudTrail trails should be integrated with CloudWatch logs for NIST 800-53 Revision 4 compliance. This rule ensures that logs generated by CloudTrail, which captures AWS API and management events, are stored securely in CloudWatch logs. Integrating with CloudWatch logs allows for centralized log management, real-time monitoring, and analysis of events for compliance and security purposes, as required by the NIST 800-53 Revision 4 standard.
Troubleshooting Steps:
If CloudTrail trails are not integrated with CloudWatch logs, follow these troubleshooting steps:
- 1.
Verify CloudTrail Configuration:
- Ensure that CloudTrail is enabled in the AWS Management Console.
- Check if a CloudTrail trail has been created.
- Confirm that the trail is capturing the necessary events and resources.
- 2.
Verify CloudWatch Logs Configuration:
- Ensure that CloudWatch Logs service is enabled in the AWS Management Console.
- Check if a CloudWatch Logs group has been created to store the CloudTrail logs.
- Confirm that the necessary IAM permissions are assigned to the CloudTrail service to send logs to CloudWatch Logs.
- 3.
Check IAM Permissions:
- Verify the IAM role associated with CloudTrail has permissions to access and write logs to CloudWatch Logs.
- Ensure the required policies (e.g., CloudWatchLogsFullAccess) are attached to the IAM role.
- 4.
Check CloudTrail and CloudWatch Logs Integration:
- Double-check the settings within the CloudTrail trail to ensure it is configured to send logs to CloudWatch Logs.
- Verify the correct CloudWatch Logs group is selected to store the logs.
Necessary Codes:
- 1.CloudFormation:
Resources: MyCloudTrailTrail: Type: "AWS::CloudTrail::Trail" Properties: # Trail configuration properties... CloudWatchLogsLogGroupArn: "arn:aws:logs:<region>:<account-id>:log-group:MyCloudTrailLogs"
- 1.AWS CLI:
aws cloudtrail create-subscription \ --name MyCloudTrail \ --s3-new-bucket MyBucket \ --cloud-watch-logs-log-group-arn arn:aws:logs:<region>:<account-id>:log-group:MyCloudTrailLogs
Step-by-Step Guide for Remediation:
To integrate CloudTrail trails with CloudWatch logs for NIST 800-53 Revision 4 compliance, follow these steps:
- 1.
Log in to the AWS Management Console.
- 2.
Open the CloudTrail service.
- 3.
Click on "Trails" in the left navigation pane.
- 4.
Select the trail you want to enable CloudWatch logs integration for.
- 5.
Click on the "Edit" button.
- 6.
In the "CloudWatch Logs" section, choose the CloudWatch Logs group where you want to store the logs. If the group does not exist, you can create it by clicking on "Create a new group".
- 7.
Click on "Save" to apply the changes.
- 8.
Verify that the trail has been integrated with the selected CloudWatch Logs group by checking the status of the trail.
- 9.
If using CloudFormation, use the provided code snippet and modify it with the appropriate values for your environment. Then deploy the CloudFormation stack to create the trail with CloudWatch logs integration.
- 10.
If using the AWS CLI, execute the provided code snippet in the terminal or command prompt, replacing the placeholders with the correct values for your environment.
- 11.
Monitor the CloudTrail trail and CloudWatch Logs to ensure that the logs are successfully captured and stored in the specified CloudWatch Logs group.
By completing these steps, you will have successfully integrated CloudTrail trails with CloudWatch logs for NIST 800-53 Revision 4 compliance. This allows for centralized log management and monitoring, helping to meet the security and compliance requirements outlined by the NIST standard.