Rule: CloudTrail trails should be integrated with CloudWatch logs
This rule ensures integration of CloudTrail trails with CloudWatch logs for enhanced monitoring and security measures.
| Rule | CloudTrail trails should be integrated with CloudWatch logs |
| Framework | NIST 800-53 Revision 5 |
| Severity | ✔ Critical |
Rule Description:
CloudTrail trails should be integrated with CloudWatch logs for NIST 800-53 Revision 5 compliance. This rule ensures that all CloudTrail logs are centrally collected, stored, and analyzed using CloudWatch logs for enhanced security and auditing capabilities.
Integrating CloudTrail trails with CloudWatch logs allows for real-time monitoring, automatic log aggregation, and the ability to set up alarms and notifications based on specific events or patterns in the logs. By adhering to NIST 800-53 Revision 5, organizations can meet compliance requirements and ensure the integrity and availability of their audit logs.
Troubleshooting Steps:
- 1.
Verify that CloudTrail is enabled: Check if CloudTrail is enabled in your AWS account. If not, enable it by following the AWS documentation on how to set up CloudTrail.
- 2.
Check CloudWatch Logs subscription: Ensure that your CloudTrail trails are integrated with CloudWatch logs by subscribing to the appropriate log group. If not already set up, follow the steps below for remediation.
- 3.
Validate IAM permissions: Confirm that the IAM user or role used to integrate CloudTrail with CloudWatch logs has the necessary permissions. The user/role should have the following permissions:
to modify the trail properties.cloudtrail:UpdateTrail
to create a new log stream.logs:CreateLogStream
to configure the subscription filter.logs:PutSubscriptionFilter
Assign the required permissions to the IAM user/role if they are missing.
Remediation Steps:
- 1.
Create a CloudWatch log group: If you don't have a CloudWatch log group dedicated to storing CloudTrail logs, create one using the AWS CLI with the following command:
aws logs create-log-group --log-group-name MyCloudTrailLogsReplace
with a suitable name for your log group.MyCloudTrailLogs - 2.
Update CloudTrail configuration: Use the AWS CLI to update the CloudTrail trail configuration and associate it with the CloudWatch log group. Run the following command:
aws cloudtrail update-trail --name MyTrail --cloud-watch-logs-log-group-arn arn:aws:logs:us-east-1:123456789012:log-group:MyCloudTrailLogs:* --cloud-watch-logs-role-arn arn:aws:iam::123456789012:role/MyCloudTrailToCloudWatchRole- Replace
with the name of your CloudTrail trail.MyTrail - Replace
with the ARN of your CloudWatch log group.arn:aws:logs:us-east-1:123456789012:log-group:MyCloudTrailLogs:* - Replace
with the ARN of the IAM role that has the necessary permissions to publish logs to the log group.arn:aws:iam::123456789012:role/MyCloudTrailToCloudWatchRole
- 3.
Verify the integration: Check if the CloudTrail trail is now integrated with CloudWatch logs by using the AWS CLI command:
aws cloudtrail describe-trails --trail-name-list MyTrailEnsure that the
property is set to the correct log group ARN.CloudWatchLogsLogGroupArn
Conclusion:
By following the above steps, you will successfully integrate CloudTrail trails with CloudWatch logs, ensuring compliance with NIST 800-53 Revision 5 requirements. This integration provides centralized logging and monitoring capabilities for your AWS account, enhancing your security posture and enabling efficient auditing.