Rule: CloudTrail trails should be integrated with CloudWatch logs
This rule ensures CloudTrail trails are integrated with CloudWatch logs for enhanced monitoring and logging capabilities.
| Rule | CloudTrail trails should be integrated with CloudWatch logs |
| Framework | NIST 800-53 Revision 4 |
| Severity | ✔ Critical |
Rule/Policy Description:
CloudTrail trails should be integrated with CloudWatch logs to ensure compliance with NIST 800-53 Revision 4 standard. This integration allows for centralized monitoring and storing of CloudTrail logs, enabling increased visibility into security events and facilitating the detection of potential security incidents.
Troubleshooting Steps (if any):
If there are any issues with the integration between CloudTrail and CloudWatch logs, follow these troubleshooting steps:
- 1.
Verify CloudTrail and CloudWatch Logs: Check if both CloudTrail and CloudWatch Logs are enabled in your AWS account.
- 2.
Confirm IAM Permissions: Ensure that the IAM roles associated with the CloudTrail trail and the CloudWatch Logs have the necessary permissions to access and write logs. Specifically, check if the IAM role has the required permissions for CloudTrail and CloudWatch Logs.
- 3.
Verify Resource Configuration: Double-check the configuration settings for both CloudTrail and CloudWatch Logs to ensure they are correctly set up. Pay attention to the log group, log stream, and AWS region settings.
- 4.
Check Logging Status: Ensure that logging is enabled for CloudTrail and CloudWatch Logs. If logging is not enabled, enable it using the AWS Management Console, AWS CLI, or SDKs.
- 5.
Testing and Validation: Perform a test by generating events in your AWS environment and verifying if the logs are appropriately captured by CloudTrail and integrated with CloudWatch Logs.
Necessary Codes (if any):
There are no specific codes needed for this integration as it can be configured through the AWS Management Console or using the AWS CLI/SDKs.
Step-by-Step Guide for Remediation:
Follow these steps to integrate CloudTrail trails with CloudWatch logs:
- 1.
Sign in to the AWS Management Console and open the CloudTrail service.
- 2.
Select the CloudTrail trail that you want to integrate with CloudWatch logs.
- 3.
Click on the "Edit" button to modify the trail's configuration.
- 4.
In the "CloudWatch Logs" section, select the option to enable logging for CloudWatch Logs.
- 5.
Choose an existing log group or create a new log group for storing the CloudTrail logs.
- 6.
Optionally, specify a log stream prefix to organize your logs into distinct streams.
- 7.
Select the AWS region for the log group and log stream.
- 8.
Click on the "Save" button to save the changes.
- 9.
Verify the integration by checking the CloudWatch Logs for the newly created log group and log stream. Ensure that the CloudTrail logs are being captured and stored correctly.
By following these steps, you can successfully integrate CloudTrail trails with CloudWatch logs, ensuring compliance with NIST 800-53 Revision 4.