Rule: CloudTrail trails should be integrated with CloudWatch logs
This rule emphasizes integrating CloudTrail trails with CloudWatch logs for enhanced security and monitoring.
| Rule | CloudTrail trails should be integrated with CloudWatch logs |
| Framework | NIST 800-53 Revision 5 |
| Severity | ✔ Critical |
Rule Description:
CloudTrail trails should be integrated with CloudWatch logs to ensure compliance with NIST 800-53 Revision 5 security controls. This integration provides centralized logging and monitoring capabilities for CloudTrail, enabling real-time analysis and alerting on any anomalous activities in your AWS environment.
Troubleshooting Steps:
If you encounter any issues while integrating CloudTrail trails with CloudWatch logs, follow these troubleshooting steps:
- 1.
Verify IAM Permissions: Ensure that the AWS Identity and Access Management (IAM) user or role used to enable CloudTrail integration with CloudWatch logs has the necessary permissions. The user or role should have the "cloudtrail:PutEventSelectors" action for the desired CloudTrail trail and "logs:CreateLogStream" and "logs:PutLogEvents" actions for the CloudWatch log group.
- 2.
Check CloudTrail and CloudWatch Log Group Names: Confirm that you are specifying the correct CloudTrail trail and CloudWatch log group names when configuring the integration. Typos or incorrect resource names can lead to integration failures.
- 3.
Review CloudTrail and CloudWatch Logs Configuration: Verify the CloudTrail trail configuration to ensure that it is capturing the desired events and writing them to CloudWatch logs. Similarly, check the CloudWatch log group configuration to make sure it is correctly receiving the CloudTrail events.
- 4.
Check CloudTrail and CloudWatch Log Group Regions: Ensure that both the CloudTrail trail and the CloudWatch log group are created in the same AWS region. Cross-region configurations can lead to integration failures.
- 5.
Check CloudTrail and CloudWatch Logs API Activity: Monitor API activity logs in CloudTrail to identify any errors or exceptions related to the integration. Also, check the CloudWatch Logs console for any error messages or diagnostic information.
- 6.
Review CloudTrail and CloudWatch Logs Documentation: Refer to the official AWS documentation for CloudTrail and CloudWatch logs, specifically the integration section, for detailed guidance on troubleshooting integration issues.
Necessary Codes:
No specific codes are required for integrating CloudTrail trails with CloudWatch logs for NIST 800-53 Revision 5 compliance. The integration can be configured through the AWS Management Console, AWS CLI, or AWS SDKs as per your preference.
Step-by-Step Guide for Remediation:
Follow these steps to integrate CloudTrail trails with CloudWatch logs for NIST 800-53 Revision 5 compliance:
- 1.
Open the AWS Management Console and navigate to the CloudTrail service.
- 2.
Select the CloudTrail trail you want to integrate with CloudWatch logs.
- 3.
Click on the "Edit" button.
- 4.
In the "Event log delivery" section, choose "Yes" for "Send to CloudWatch Logs."
- 5.
Specify the CloudWatch log group where you want to send the CloudTrail events or create a new log group.
- 6.
Click on the "Save" button to apply the changes.
- 7.
Verify that the CloudTrail events are being delivered to the specified CloudWatch log group by navigating to the CloudWatch Logs service.
- 8.
In the CloudWatch Logs console, select the log group associated with the CloudTrail integration.
- 9.
Review the log events to ensure they are being received correctly.
- 10.
Enable any necessary CloudWatch log metrics, alarms, or further analysis as required by NIST 800-53 Revision 5 or your organization's security policies.
Note: The above steps can also be implemented using the AWS CLI or AWS SDKs if preferred. Utilize the appropriate CLI commands or SDK methods to enable CloudTrail integration with CloudWatch logs.