Rule: CloudTrail trails should be integrated with CloudWatch logs
This rule ensures CloudTrail trails are integrated with CloudWatch logs for enhanced monitoring.
| Rule | CloudTrail trails should be integrated with CloudWatch logs |
| Framework | NIST 800-53 Revision 5 |
| Severity | ✔ Critical |
CloudTrail Integration with CloudWatch Logs for NIST 800-53 Rev 5 Compliance
Integrating AWS CloudTrail trails with Amazon CloudWatch Logs is an essential step to meet the monitoring requirements of NIST 800-53 Revision 5. Such integration ensures that activity within your AWS environment is captured, monitored, and analyzed in accordance with the compliance controls.
Detailed Rule Description
AWS CloudTrail is a service that provides a record of actions taken by a user, role, or AWS service. CloudTrail logs can capture API calls made from the AWS Management Console, AWS SDKs, command-line tools, and other AWS services.
Amazon CloudWatch Logs provide scalable log management and analysis. By forwarding CloudTrail logs to CloudWatch, you can monitor and retain account activity related to actions across your AWS infrastructure. This process aids in security analysis and troubleshooting.
NIST 800-53 controls related to system and information integrity and audit review, analysis, and reporting can be addressed by implementing this integration. This ensures that the necessary audit logs are captured, reviewed, and analyzed in an efficient and timely manner.
Troubleshooting Steps
Should you encounter issues integrating CloudTrail with CloudWatch Logs, follow these troubleshooting steps:
- 1.
Verify IAM Permissions: Ensure that the IAM role or user has the necessary permissions to create and configure CloudTrail and CloudWatch Logs.
- 2.
Check CloudTrail Configuration: Confirm that CloudTrail is configured correctly and that it's logging events you're interested in. Also, ensure that the trails are enabled.
- 3.
Examine CloudWatch Log Group: Confirm that the CloudWatch Log Group exists and that CloudTrail has the necessary permissions to write to it.
- 4.
Review Delivery Errors: In the CloudTrail console, check for any log delivery errors and rectify according to the error message guidance.
- 5.
Verify Log Streams: Ensure that CloudTrail has created a Log Stream within your Log Group and is pushing logs to that stream.
Necessary Configuration Codes
To integrate CloudTrail with CloudWatch Logs using AWS CLI, use the commands below:
1. Create a CloudWatch Log Group (if not already present):
aws logs create-log-group --log-group-name MyLogGroup
2. Attach IAM Policy for CloudTrail to Access CloudWatch Logs:
Create an IAM policy named
CloudTrail_CloudWatchLogs_Policy3. Update CloudTrail to Send Logs to CloudWatch:
aws cloudtrail update-trail --name MyTrail --cloud-watch-logs-log-group-arn arn:aws:logs:region:account-id:log-group:MyLogGroup --cloud-watch-logs-role-arn arn:aws:iam::account-id:role/CloudTrail_CloudWatchLogs_Role
Replace
regionaccount-idMyLogGroupMyTrailCloudTrail_CloudWatchLogs_RoleStep by Step Guide for Remediation
Step 1: Set up CloudWatch Log Group
aws logs create-log-group --log-group-name MyLogGroup
Step 2: Create IAM Policy and Role
Create a policy document
CloudTrail_CloudWatchLogs_Policy.jsonThen execute to create the policy and role:
aws iam create-policy --policy-name CloudTrail_CloudWatchLogs_Policy --policy-document file://CloudTrail_CloudWatchLogs_Policy.json aws iam create-role --role-name CloudTrail_CloudWatchLogs_Role --assume-role-policy-document file://TrustPolicyForCloudTrail.json
Attach the policy to the role:
aws iam attach-role-policy --policy-arn arn:aws:iam::account-id:policy/CloudTrail_CloudWatchLogs_Policy --role-name CloudTrail_CloudWatchLogs_Role
Step 3: Configure CloudTrail Integration
aws cloudtrail update-trail --name MyTrail --cloud-watch-logs-log-group-arn arn:aws:logs:region:account-id:log-group:MyLogGroup --cloud-watch-logs-role-arn arn:aws:iam::account-id:role/CloudTrail_CloudWatchLogs_Role
By following the above steps correctly, you will have successfully integrated CloudTrail with CloudWatch Logs, thereby aligning with the NIST 800-53 Rev 5 compliance controls related to logging and monitoring. It's important to regularly verify the setup to ensure continuous compliance and to adjust as AWS services evolve.