Rule: CloudTrail trails should be integrated with CloudWatch logs
This rule ensures proper integration of CloudTrail trails with CloudWatch logs.
| Rule | CloudTrail trails should be integrated with CloudWatch logs |
| Framework | NIST 800-53 Revision 5 |
| Severity | ✔ Critical |
CloudTrail Integration with CloudWatch Logs for NIST 800-53 Revision 5
Description
CloudTrail is a service provided by Amazon Web Services (AWS) that ensures governance, compliance, operational auditing, and risk auditing of your AWS account. It provides detailed logs of all activities within your account, such as API calls made to AWS services. Integrating CloudTrail with CloudWatch Logs allows you to centrally manage and monitor your CloudTrail logs, enabling you to meet compliance requirements such as NIST 800-53 Revision 5.
NIST (National Institute of Standards and Technology) 800-53 Revision 5 is a security control framework commonly used to secure information systems within the United States federal government.
To adhere to the NIST 800-53 Revision 5 security controls, you must integrate your CloudTrail trails with CloudWatch Logs. This integration ensures that CloudTrail logs are securely stored, monitored, and retained as per NIST 800-53 requirements.
Troubleshooting Steps
If you encounter issues while integrating CloudTrail with CloudWatch Logs, follow these troubleshooting steps:
- 1.
Check CloudTrail and CloudWatch Logs configuration: Verify that both CloudTrail and CloudWatch Logs are enabled and properly configured in your AWS account.
- 2.
Check IAM permissions: Ensure that the IAM roles associated with your CloudTrail and CloudWatch Logs have the necessary permissions to interact with each other. Specifically, verify that the IAM role used by CloudTrail has permission to write logs to CloudWatch Logs.
- 3.
Verify CloudTrail trail settings: Double-check the settings of your CloudTrail trail to ensure it is configured to send logs to CloudWatch Logs. Pay attention to the log group and log stream settings.
- 4.
Check CloudWatch Logs retention: Confirm that the retention period for CloudWatch Logs is set according to your compliance requirements. If retention is too short, logs may be deleted before they can be evaluated for compliance.
- 5.
Enable CloudWatch Logs for existing trails: If you have existing CloudTrail trails that are not integrated with CloudWatch Logs, you need to manually enable the integration. CloudTrail trails that were created before the integration feature must be configured individually.
Configuration Steps
To integrate CloudTrail trails with CloudWatch Logs to comply with NIST 800-53 Revision 5, follow these step-by-step instructions:
- 1.
Create a CloudWatch Logs log group: In the AWS Management Console, navigate to CloudWatch Logs and create a log group to store your CloudTrail logs. Note the ARN (Amazon Resource Name) of the log group.
- 2.
Create or update CloudTrail trails: In the AWS Management Console, navigate to CloudTrail and for each trail that needs integration, either create a new trail or update an existing one.
Creating a new trail: Enable CloudTrail for the desired region(s) and select the option to "Send to CloudWatch Logs." Specify the log group ARN created in the previous step.
Updating an existing trail: For existing trails, enable the "Send to CloudWatch Logs" option and specify the log group ARN.
- 3.
Configure log stream names: Each trail within a log group requires a unique log stream name. You can enable the "Append date to stream name" option to ensure uniqueness based on the date.
- 4.
Verify log delivery: Wait for the logs to be delivered to CloudWatch Logs. Check the log group in CloudWatch Logs and ensure it contains the expected logs from your CloudTrail trail.
Conclusion
Integrating CloudTrail with CloudWatch Logs ensures that your CloudTrail logs are available for analysis, compliance, and monitoring purposes, in accordance with NIST 800-53 Revision 5. By following the troubleshooting steps and configuration instructions described above, you can successfully integrate CloudTrail trails with CloudWatch Logs for compliance with NIST 800-53 Revision 5 security controls.