Rule: At Least One Enabled Trail Should Be Present in a Region
This rule ensures the presence of at least one enabled CloudTrail trail in a specific region.
| Rule | At least one enabled trail should be present in a region |
| Framework | NIST 800-53 Revision 5 |
| Severity | ✔ Low |
Description of the Rule
This rule ensures that at least one CloudTrail logging trail is enabled in a specific region for compliance with the NIST 800-53 Revision 5 security framework. CloudTrail is a service provided by AWS that allows the monitoring and logging of user activity and API usage on the AWS platform. By enabling CloudTrail, organizations can gain valuable insights into their AWS resources, identify potential security threats, and simplify compliance audits.
Troubleshooting Steps (if any)
If there are no enabled trails in the specified region, follow these troubleshooting steps:
- 1.
Verify trail status: Check the status of existing trails in the region using the AWS Management Console, AWS CLI, or AWS SDKs. Ensure they are enabled and actively logging data.
- 2.
Create a new trail: If there are no enabled trails, create a new trail in the required region using the AWS Management Console, AWS CLI, or AWS SDKs.
- 3.
Review CloudTrail settings: Make sure that the newly created trail has the necessary logging settings to capture the required events and log files.
- 4.
Enable multi-region trail (if applicable): If compliance requires multi-region logging, enable "Include Global Services" in the trail settings to capture relevant events across all regions.
- 5.
Verify logging data: Once the trail is enabled, monitor the generated log files to ensure that the expected logs are being captured correctly.
Necessary Codes (if any)
If you prefer using the AWS Command Line Interface (CLI) to create a new trail, here is the necessary code:
$ aws cloudtrail create-trail \ --name <trail-name> \ --s3-bucket-name <bucket-name> \ --is-multi-region-trail <true/false> \ --include-global-service-events <true/false> \ --enable-log-file-validation
Ensure to replace
<trail-name><bucket-name>Step-by-Step Guide for Remediation
Follow these steps to remediate the issue and ensure compliance with the NIST 800-53 Revision 5:
- 1.
Identify the region lacking an enabled CloudTrail trail.
- 2.
Access the AWS Management Console, AWS CLI, or AWS SDKs to manage CloudTrail.
- 3.
If an existing trail is already configured in the region but not enabled, enable the trail by selecting the trail and clicking on the "Actions" menu, then choosing "Enable".
- 4.
If no existing trails are present, create a new trail by clicking on the "Create trail" button.
- 5.
Provide a suitable name for the trail and select the desired logging options.
- 6.
Specify an existing S3 bucket where the CloudTrail logs will be stored. If no bucket exists, create a new one in the same region.
- 7.
Review additional trail settings if necessary, such as multi-region trail and inclusion of global service events.
- 8.
Enable log file validation to ensure the integrity of log files.
- 9.
Verify the created or enabled trail by checking the trail status to ensure it is actively logging.
- 10.
Monitor the generated logs to confirm that the required events and log files are being captured correctly.
By completing these steps, you can ensure compliance with the NIST 800-53 Revision 5 requirement of having at least one enabled CloudTrail trail in the specified region.