Rule: At Least One Enabled Trail Present in a Region
This rule ensures at least one enabled trail exists in a specific region.
| Rule | At least one enabled trail should be present in a region |
| Framework | NIST 800-53 Revision 5 |
| Severity | ✔ Low |
Rule Description:
This rule enforces that at least one AWS CloudTrail is enabled in a specific region, in order to comply with the NIST (National Institute of Standards and Technology) 800-53 Revision 5 security framework. This ensures the availability of detailed logs and captures important events for monitoring and auditing purposes.
Troubleshooting Steps:
- 1.Identify the AWS region where CloudTrail should be enabled.
- 2.Check if there are any existing CloudTrail trails in the specified region.
- 3.Verify the status of the trails to ensure they are enabled.
- 4.If no trails are present or if they are not enabled, proceed with the remediation steps below.
Remediation:
In order to remediate the rule, follow these steps:
- 1.
Open the AWS Management Console and navigate to the CloudTrail service.
- 2.
Select the desired region where the CloudTrail should be enabled.
- 3.
Click on the "Create trail" button to create a new trail.
- 4.
Provide a meaningful name for the trail to easily identify its purpose.
- 5.
Select the S3 bucket where CloudTrail logs will be stored. If no bucket is available, create a new one.
- 6.
Enable the log file validation feature for added security and integrity.
- 7.
Choose the appropriate SNS topic or CloudWatch Logs group for receiving notifications or log delivery.
- 8.
Enable the desired type of logs to capture the required events. Consider the options like Management events, Data events, or AWS Lambda integration.
- 9.
Configure additional advanced features if necessary, such as encryption, multi-region log file replication, or custom tags.
- 10.
Review the trail settings and click on the "Create" button to enable the CloudTrail trail.
- 11.
Validate that the newly created trail is operational and capturing the desired events by reviewing the trail's status and log files.
Verification:
To verify that the CloudTrail trail is enabled and working correctly:
- 1.
Open the AWS Management Console and navigate to the CloudTrail service.
- 2.
Select the appropriate region.
- 3.
Locate the created trail and ensure its status is set to "Enabled".
- 4.
Verify that the trail is logging the expected events by reviewing the log files stored in the selected S3 bucket.
Additional Notes:
- It is recommended to have CloudTrail enabled in all regions to ensure complete auditing and event monitoring coverage.
- Regularly review and analyze CloudTrail logs for any suspicious activities or deviations from normal operations.
- Ensure that the appropriate permissions are assigned to individuals or teams responsible for managing and monitoring CloudTrail trails.