This rule ensures CloudTrail trails are integrated with CloudWatch logs for enhanced security monitoring.
Rule | CloudTrail trails should be integrated with CloudWatch logs |
Framework | NIST 800-53 Revision 4 |
Severity | ✔ Critical |
Rule/Policy Description
The integration of CloudTrail trails with CloudWatch logs is required to comply with the NIST 800-53 Revision 4 security standard. This integration ensures that CloudTrail logs are consistently monitored and can provide real-time alerts and analysis for security events.
Troubleshooting Steps
If the integration between CloudTrail trails and CloudWatch logs is not functioning as expected, the following troubleshooting steps can be followed:
Verify CloudTrail and CloudWatch Integration: Ensure that CloudTrail and CloudWatch services are both enabled in the AWS Management Console.
Check CloudTrail Configuration: Ensure that the CloudTrail trail is properly configured to send logs to CloudWatch. Specifically, confirm that the Log Group and Log Stream settings are correct.
Verify IAM Permissions: Ensure that the IAM role associated with the CloudTrail trail has the necessary permissions to write logs to the selected CloudWatch Log Group. Check that the IAM policy has the "logs:CreateLogStream" and "logs:PutLogEvents" permissions.
Verify CloudWatch Log Group Subscription: Check that the CloudWatch Log Group subscription filters are correctly set up to receive logs from the CloudTrail trail.
Verify CloudWatch Alarm and Notification Settings: Ensure that CloudWatch Alarms are correctly configured to trigger notifications for security events. Check that the appropriate SNS topic is set up to receive these notifications.
Review CloudTrail and CloudWatch Metrics: Analyze the CloudTrail and CloudWatch metrics to identify any anomalies or errors in the integration. Look for any error codes or abnormal behavior that might indicate issues.
Contact AWS Support: If the above steps do not resolve the integration issues, reach out to AWS Support for further assistance.
Necessary Codes
The following code snippets are required for integrating CloudTrail trails with CloudWatch logs:
aws cloudtrail create-trail --name my-trail --s3-bucket-name my-bucket --cloud-watch-logs-log-group-arn arn:aws:logs:us-west-2:123456789012:log-group:my-group --cloud-watch-logs-role-arn arn:aws:iam::123456789012:role/CloudWatchLogsRole
aws cloudtrail start-logging --name my-trail
aws cloudwatch put-metric-alarm --alarm-name my-alarm --namespace AWS/CloudTrail --metric-name Events --dimensions Name=TrailName,Value=my-trail --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --threshold 1 --alarm-actions arn:aws:sns:us-west-2:123456789012:my-topic
Step-by-Step Guide for Remediation
To remediate and integrate CloudTrail trails with CloudWatch logs for NIST 800-53 Revision 4 compliance, follow these steps:
Open the AWS Management Console and navigate to the CloudTrail service.
Create a new trail by clicking on the "Create trail" button.
Provide a name for the trail and select the desired S3 bucket where the CloudTrail logs will be stored.
Specify the CloudWatch Log Group where the CloudTrail logs will be sent by entering the ARN of the desired Log Group.
Attach the necessary IAM role to the trail. Ensure that the role has the required permissions to write logs to CloudWatch.
Enable the trail and start logging by clicking the "Save" or "Create" button.
Open the CloudWatch service in the AWS Management Console.
Create a new CloudWatch Alarm by navigating to the Alarms section and clicking on the "Create Alarm" button.
Configure the alarm to trigger for specific events or metrics related to CloudTrail. Specify the desired comparison operator, threshold, and evaluation periods.
Configure the alarm actions to send notifications to the desired SNS topic.
Save the alarm configuration by clicking the "Create alarm" button.
After completing these steps, your CloudTrail trails will be integrated with CloudWatch logs. The logs will be continuously monitored, and alarms will trigger notifications for security events based on the configured rules.