Rule: CloudTrail trails should be integrated with CloudWatch logs
This rule ensures that CloudTrail trails are integrated with CloudWatch logs for enhanced monitoring and security measures.
| Rule | CloudTrail trails should be integrated with CloudWatch logs |
| Framework | NIST 800-53 Revision 5 |
| Severity | ✔ Critical |
Rule Description
This rule requires integrating AWS CloudTrail trails with AWS CloudWatch Logs for NIST 800-53 Revision 5 compliance. Integrating CloudTrail trails with CloudWatch Logs helps to centralize and simplify log management by providing a unified interface for analyzing and monitoring logs generated by CloudTrail.
Troubleshooting Steps
If you encounter any issues while integrating CloudTrail trails with CloudWatch Logs, you can follow these troubleshooting steps:
- 1.
Verify CloudTrail Configuration:
- Ensure that you have CloudTrail trails configured in your AWS account.
- Confirm that the trails are logging events to CloudTrail.
- 2.
Check IAM Permissions:
- Make sure that the IAM role used to configure CloudTrail has the necessary permissions to write logs to CloudWatch Logs.
- Verify that the IAM role has the
andcloudtrail:PutLogEvents
permissions.logs:CreateLogGroup
- 3.
Validate CloudWatch Logs Configuration:
- Check if the CloudWatch Logs group and log stream specified in the CloudTrail trails configuration are correct.
- Ensure that the log group and log stream exist and are active in CloudWatch Logs.
- 4.
Check CloudTrail and CloudWatch Logs Region:
- Confirm that both CloudTrail and CloudWatch Logs are configured in the same AWS region.
- Check if the CloudTrail trails and CloudWatch Logs are created in the same region.
- 5.
Review CloudTrail and CloudWatch Logs Settings:
- Verify that the CloudTrail trails are set to deliver logs to CloudWatch Logs.
- Check if the CloudTrail trails are enabled and logging information for the required events.
- Validate that the CloudWatch Logs group has the appropriate retention settings.
Necessary Configuration
To integrate CloudTrail trails with CloudWatch Logs for NIST 800-53 Revision 5 compliance, you need to perform the following steps:
- 1.
Enable CloudTrail service if not already enabled:
- Go to the AWS Management Console and navigate to the CloudTrail service.
- Click on "Trails" in the left-hand menu.
- Click on "Create trail" or select an existing trail.
- Configure the necessary settings, including the desired S3 bucket to store CloudTrail logs.
- Make sure to select "Yes" for "Create a new CloudWatch Logs log group" or select an existing log group.
- Enable the appropriate events to capture in the trail.
- Click on "Create trail" to finalize the configuration.
- 2.
Verify CloudTrail trails configuration:
- Go to the AWS Management Console and navigate to the CloudTrail service.
- Click on "Trails" in the left-hand menu.
- Review the created trails and ensure that the desired trail is logging events.
- 3.
Check CloudWatch Logs integration:
- Go to the AWS Management Console and navigate to the CloudWatch service.
- Click on "Logs" in the left-hand menu.
- Validate that the CloudWatch Logs group associated with the CloudTrail trail exists.
- Confirm that the CloudWatch Logs group is receiving log data from the trail.
Conclusion
By integrating AWS CloudTrail trails with CloudWatch Logs for NIST 800-53 Revision 5 compliance, you ensure that all relevant CloudTrail logs are centrally stored and easily accessible for security analysis and monitoring purposes. Following the troubleshooting steps and necessary configurations mentioned above will help you maintain compliance and streamline log management in your AWS environment.