Cloud Defense Logo

Products

Solutions

Company

CloudTrail trails Integration with CloudWatch Logs Rule

This rule ensures that CloudTrail trails are integrated with CloudWatch logs for enhanced monitoring and security.

RuleCloudTrail trails should be integrated with CloudWatch logs
FrameworkNIST 800-53 Revision 5
Severity
Critical

Rule Description

CloudTrail trails should be integrated with CloudWatch logs to meet the requirements of NIST 800-53 Revision 5.

Troubleshooting Steps

If integration between CloudTrail and CloudWatch logs is not functioning properly, follow these troubleshooting steps:

  1. 1.
    Verify IAM Roles: Ensure that the IAM roles used by both CloudTrail and CloudWatch have the necessary permissions.
  2. 2.
    Check Trail Configuration: Review the CloudTrail trail configuration to ensure it is set up correctly and that it is configured to output logs to CloudWatch.
  3. 3.
    Verify CloudWatch Logs Setup: Validate that the CloudWatch Logs group exists and is properly configured to receive logs from CloudTrail.
  4. 4.
    Check Logging Status: Confirm that CloudTrail logging and CloudWatch logs integration are enabled and active.
  5. 5.
    Verify Trust Relationship: Ensure that the CloudTrail trail and CloudWatch Logs role have a trust relationship between them.
  6. 6.
    Check CloudTrail and CloudWatch Regions: Confirm that the CloudTrail trail and CloudWatch Logs are both in the same region.

Necessary Codes

The following code snippets can be used to set up the integration between CloudTrail and CloudWatch logs:

CloudTrail:

aws cloudtrail create-trail --name MyTrail --s3-bucket-name my-bucket --cloud-watch-logs-log-group-arn "arn:aws:logs:us-west-2:123456789012:log-group:MyLogGroup" --is-multi-region-trail

CloudWatch Logs:

aws logs create-log-group --log-group-name MyLogGroup

Note: Replace

MyTrail
,
my-bucket
,
arn:aws:logs:us-west-2:123456789012:log-group:MyLogGroup
, and
MyLogGroup
with your specific values.

Step-by-Step Guide for Remediation

Follow these steps to set up the integration between CloudTrail and CloudWatch logs:

  1. 1.
    Open the AWS Management Console and navigate to the CloudTrail service.
  2. 2.
    Click on "Trails" in the left-hand sidebar and select the desired trail.
  3. 3.
    Click on "Actions" and select "Edit trail".
  4. 4.
    Under the "CloudWatch Logs" section, select the appropriate CloudWatch Logs group to send the logs to.
  5. 5.
    Enable the "Include global services" option if required for your use case.
  6. 6.
    Click on "Save" to apply the changes.
  7. 7.
    Open the AWS Management Console and navigate to the CloudWatch service.
  8. 8.
    In the left-hand sidebar, click on "Logs" and then "Log groups".
  9. 9.
    Click on "Create log group".
  10. 10.
    Provide a name for the log group (e.g., MyLogGroup) and click on "Create".
  11. 11.
    Use the necessary code snippet provided earlier to create the log group via the AWS CLI if preferred.
  12. 12.
    Verify that the CloudTrail and CloudWatch Logs are in the same region.
  13. 13.
    Confirm that CloudTrail logging and CloudWatch logs integration are enabled and active.
  14. 14.
    Wait for a few minutes for logs to start appearing in the CloudWatch Logs group.
  15. 15.
    To test the integration, perform AWS actions that should trigger CloudTrail logs and verify their presence in the CloudWatch Logs group.

Remember to follow the specific guidelines and requirements of NIST 800-53 Revision 5 when configuring and setting up the integration between CloudTrail and CloudWatch logs.

Is your System Free of Underlying Vulnerabilities?
Find Out Now