Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Rule: At Least One Enabled Trail Should Be Present in a Region

This rule specifies that at least one enabled trail must be present in a region for compliance.

RuleAt least one enabled trail should be present in a region
FrameworkNIST 800-53 Revision 5
Severity
Low

AWS CloudTrail Compliance with NIST 800-53 Revision 5

To satisfy the requirement of NIST 800-53 Revision 5, organizations must ensure that they have at least one enabled AWS CloudTrail in every region. This is essential for recording and monitoring actions taken through the AWS Management Console, AWS SDKs, command-line tools, and other AWS services.

Importance of AWS CloudTrail for NIST Compliance

AWS CloudTrail plays a crucial role in helping organizations achieve compliance with NIST 800-53 Revision 5 by providing a way to log and continuously monitor account activity. By doing so, organizations can:

  • Detect unusual activity
  • Support forensic investigations
  • Respond to audits in a compliant manner

Rule Details

  • Rule ID: AWS_CLOUDTRAIL_ENABLED_REGION
  • Title: Ensure AWS CloudTrail is enabled in all regions.
  • Severity: High
  • Category: Logging and Monitoring

Troubleshooting Steps

If a compliance scan indicates that CloudTrail is not enabled in one or more regions, perform the following steps to remedy the issue:

Verify Current CloudTrail Configuration

  1. 1.
    Log in to the AWS Management Console.
  2. 2.
    Open the CloudTrail console at
    https://console.aws.amazon.com/cloudtrail/
    .
  3. 3.
    In the console, select Trails from the navigation pane to list the trails.
  4. 4.
    Ensure that for every region, at least one trail is listed as Enabled.

Set Up a New CloudTrail

If you find that one or more regions do not have an enabled trail, follow these steps:

  1. 1.
    In the CloudTrail dashboard, click on Create trail.
  2. 2.
    Enter a name for your trail.
  3. 3.
    Set the Apply trail to all regions to Yes to ensure compliance across all regions.
  4. 4.
    Configure the rest of the settings according to your organization's policy, including setting up an S3 bucket for log storage.
  5. 5.
    Click Create to enable the new trail.

Using AWS CLI

If you prefer to use the AWS Command Line Interface (CLI), follow these steps:

Verify CloudTrail Status in All Regions

for region in `aws ec2 describe-regions --query 'Regions[].RegionName' --output text`; do
  echo "Region: $region"
  aws cloudtrail describe-trails --region $region
done

Create a New CloudTrail in a Specific Region

aws cloudtrail create-trail --name my-trail --s3-bucket-name my-bucket [--is-multi-region-trail | --no-is-multi-region-trail] --region us-west-1

Replace

my-trail
with the desired trail name and
my-bucket
with the name of your S3 bucket. Use
--is-multi-region-trail
to apply the trail to all regions.

Remediation and Prevention

To ensure ongoing compliance, consider implementing the following best practices:

  • Enable CloudTrail in all regions, even if you don't operate in all of them to detect unexpected activity.
  • Use AWS CloudTrail Multi-Region trails to simplify compliance across all regions.
  • Set up alerts using Amazon CloudWatch to be notified of any changes to CloudTrail configurations.
  • Regularly audit your CloudTrail logs and configurations.
  • Use AWS Config to continuously monitor and record your AWS resource configurations and changes.

By ensuring that AWS CloudTrail is enabled and configured correctly across all regions, you maintain a strong security posture and compliance with NIST 800-53 Revision 5 guidelines.

Is your System Free of Underlying Vulnerabilities?
Find Out Now