This rule ensures at least one enabled trail is present in a region for compliance.
Rule | At least one enabled trail should be present in a region |
Framework | NIST 800-53 Revision 5 |
Severity | ✔ Low |
Rule Description:
This rule requires that at least one enabled trail is present in a specific AWS region to comply with NIST 800-53 Revision 5. Trails are essential for monitoring and auditing actions taken within an AWS account, ensuring transparency, accountability, and security.
Troubleshooting Steps:
If this rule is not met, it may indicate that no enabled trail is set up within the AWS region being evaluated. To troubleshoot and remediate the issue, follow these steps:
Identify the AWS region: Determine which region is being evaluated for compliance with the NIST 800-53 Revision 5 requirement.
Check existing trails: Use the AWS Management Console, AWS CLI (Command Line Interface), or SDKs (Software Development Kits) to review the existing trails within the identified AWS region.
Enable trail if none exists: If no existing trails are found, create a new trail and enable it. This can be done using the AWS CloudTrail service.
Modify existing disabled trail: If there are existing trails that are disabled, modify the settings to enable them.
Necessary Codes (if applicable):
If trail creation and enabling are done through AWS CLI or SDKs, use the following example codes:
Create a new trail:
aws cloudtrail create-trail --name <trail-name> --s3-bucket-name <bucket-name> --is-multi-region-trail
Enable a trail:
aws cloudtrail start-logging --name <trail-name>
Remediation Steps:
Identify the region: Determine the AWS region that needs to comply with the NIST 800-53 Revision 5 requirement.
Check existing trails: Verify if there is at least one enabled trail already set up within the identified region.
Create a new trail (if necessary): If no enabled trail is present, create a new one using the AWS CloudTrail service. Configure the trail to capture and store the necessary logs in an S3 bucket.
Enable the trail (if necessary): If you have existing trails that are disabled, modify their settings to enable them using the AWS Management Console, AWS CLI, or SDKs. Alternatively, use the following AWS CLI command to start logging for a trail:
aws cloudtrail start-logging --name <trail-name>
Verify compliance: After enabling the trail, verify that at least one trail is reporting logs in the desired AWS region. Monitor the logs to ensure they contain the necessary information as per NIST 800-53 Revision 5 requirements.
Repeat for other regions: If you have multiple AWS regions to evaluate for compliance, repeat the steps above for each region individually.
By following these steps, you can ensure that at least one enabled trail is present in the required AWS region to meet the NIST 800-53 Revision 5 rule.