Products

Solutions

Company

Book A Live Demo

Rule: At Least One Multi-Region AWS CloudTrail

This rule states that at least one multi-region AWS CloudTrail should be present in an account.

Rule	At least one multi-region AWS CloudTrail should be present in an account
Framework	NIST 800-53 Revision 5
Severity	✔ Medium

Ensuring Compliance with NIST 800-53 Revision 5 Using AWS CloudTrail

To comply with the National Institute of Standards and Technology (NIST) Special Publication 800-53 Revision 5, organizations must implement certain security controls when using cloud services. One such control involves the use of AWS CloudTrail for monitoring, logging, and continuous security auditing.

Understanding the Requirement

NIST 800-53 Rev. 5 emphasizes the need for comprehensive logging and tracking of events that could affect security and privacy. AWS CloudTrail enables governance, compliance, operational auditing, and risk auditing of your AWS account.

A multi-region AWS CloudTrail ensures that activities across all regions are recorded, which is crucial for identifying and responding to security incidents.

Creating a Multi-Region CloudTrail

Step 1: Verify Existing Trails

First, check if there is an existing multi-region Trail.

aws cloudtrail describe-trails --query 'trailList[].{Name:Name, HomeRegion:HomeRegion, MultiRegionTrail:IsMultiRegionTrail}'

Step 2: Create a New CloudTrail

If a multi-region trail does not exist, create one.

aws cloudtrail create-trail --name MyMultiRegionTrail --is-multi-region-trail --include-global-service-events --enable-log-file-validation --s3-bucket-name my-cloudtrail-logs

Replace

MyMultiRegionTrail

with a name for your trail, and

my-cloudtrail-logs

with your S3 bucket name.

Step 3: Start Logging

After creating the trail, start logging all events from all regions:

aws cloudtrail start-logging --name MyMultiRegionTrail

Step 4: Configure CloudTrail Settings

Set up S3 bucket policies and S3 lifecycle rules for log management.
Enable encryption with AWS KMS for additional security.
Configure Amazon CloudWatch Logs integration for real-time monitoring.

Remediation Steps if Multi-region Trail is Inactive

If you discover that your multi-region AWS CloudTrail is not active:

Step 1: Identify Disabled Trails

aws cloudtrail describe-trails --query 'trailList[?IsMultiRegionTrail==`true` && Status.isLogging==`false`]'

Step 2: Start Logging on Disabled Trails

For each disabled trail, start logging again:

aws cloudtrail start-logging --name InactiveTrailName

Replace

InactiveTrailName

with the name of your inactive trail. Repeat for all inactive trails.

Monitoring CloudTrail

Utilize Amazon CloudWatch or Amazon Athena to continually monitor CloudTrail logs for suspicious activities. Setup alarms and notifications for events that could indicate security risks.

Avoiding Common Configuration Issues

Keep the following best practices in mind to prevent configuration issues:

Always ensure that the S3 bucket used by CloudTrail has the appropriate access policies.
Regularly check the integrity validation feature to ensure log file integrity.
Confirm that the S3 bucket and CloudTrail are in the correct AWS account and region.

By following these guidelines, you will help ensure that your AWS account is compliant with NIST 800-53 Revision 5 using AWS CloudTrail, enhancing your overall security posture in the cloud.

Rule: At Least One Multi-Region AWS CloudTrail

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}Understanding the Requirement

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}Creating a Multi-Region CloudTrail

.css-1ekaeh4{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:22px;font-weight:700;margin-top:1rem;margin-bottom:0rem;}Step 1: Verify Existing Trails

.css-1ekaeh4{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:22px;font-weight:700;margin-top:1rem;margin-bottom:0rem;}Step 2: Create a New CloudTrail

.css-1ekaeh4{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:22px;font-weight:700;margin-top:1rem;margin-bottom:0rem;}Step 3: Start Logging

.css-1ekaeh4{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:22px;font-weight:700;margin-top:1rem;margin-bottom:0rem;}Step 4: Configure CloudTrail Settings

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}Remediation Steps if Multi-region Trail is Inactive

.css-1ekaeh4{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:22px;font-weight:700;margin-top:1rem;margin-bottom:0rem;}Step 1: Identify Disabled Trails

.css-1ekaeh4{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:22px;font-weight:700;margin-top:1rem;margin-bottom:0rem;}Step 2: Start Logging on Disabled Trails

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}Monitoring CloudTrail

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}Avoiding Common Configuration Issues

Is your System Free of Underlying Vulnerabilities? Find Out Now