Rule: At Least One Multi-Region AWS CloudTrail
This rule states that at least one multi-region AWS CloudTrail should be present in an account.
| Rule | At least one multi-region AWS CloudTrail should be present in an account |
| Framework | NIST 800-53 Revision 5 |
| Severity | ✔ Medium |
Rule Description:
For compliance with NIST 800-53 Revision 5, it is required to have at least one multi-region AWS CloudTrail present in every AWS account. A multi-region CloudTrail provides enhanced visibility into account activity and enables tracking of actions across multiple AWS regions. This rule ensures that logs are not dependent on a single region and helps in identifying any possible unauthorized activities.
Troubleshooting Steps:
If you find that there is no multi-region AWS CloudTrail present in your AWS account, follow the troubleshooting steps below to rectify the issue:
- 1.
Check if CloudTrail is enabled in the AWS Management Console:
- Open the AWS Console and sign in to your account.
- Go to the CloudTrail service.
- Ensure that CloudTrail is enabled.
- If not, click on "Create Trail" and follow the instructions to enable it.
- 2.
Verify if the CloudTrail trail is configured for multi-region mode:
- Select the CloudTrail trail that is already created or the newly created trail.
- Go to the "Trail details" page.
- Check if the "Multi-Region" option is enabled.
- If not, edit the trail and enable the "Multi-Region" option.
- 3.
Verify if the desired regions are selected for the trail:
- In the trail configuration, check if the desired AWS regions are selected.
- Click on "Modify" if any changes are required to add or remove regions.
- 4.
Troubleshoot any log delivery issues:
- If you are not receiving cloud trail logs or facing log delivery issues,
- Verify if the CloudTrail log bucket is properly configured and has correct permissions.
- Ensure that the S3 bucket that stores the logs is correctly configured and accessible for CloudTrail.
- Check if the appropriate IAM roles, policies, and permissions are set up for CloudTrail to deliver logs.
Necessary Codes:
No specific codes are required for this rule.
Step-by-step Guide for Remediation:
Follow the steps below to add a multi-region AWS CloudTrail to comply with NIST 800-53 Revision 5:
- 1.
Open the AWS Management Console and sign in to your account.
- 2.
Go to the CloudTrail service.
- 3.
If CloudTrail is not enabled, click on "Create Trail."
- 4.
Provide a name for the trail and select the desired logging options.
- 5.
In the "Management events" section, select the option "All" or choose specific management events to log.
- 6.
Configure the data events logging based on your requirements.
- 7.
In the "Storage location" section, select an existing S3 bucket or create a new one to store the logs.
- 8.
Enable the "Multi-Region" option in the trail settings for enhanced visibility.
- 9.
Select the desired AWS regions for the trail to monitor.
- 10.
Configure advanced settings like encryption, tagging, and log file validation based on your security and compliance needs.
- 11.
Review the trail settings and click on "Create" to create the multi-region CloudTrail.
- 12.
Verify if the CloudTrail is successfully created and active.
- 13.
Monitor the CloudTrail logs periodically to ensure they are capturing the required activities.
Note: It is recommended to regularly review and update your CloudTrail configuration as per your organization's security requirements and compliance standards.