This rule states that at least one multi-region AWS CloudTrail must be present in an account.
Rule | At least one multi-region AWS CloudTrail should be present in an account |
Framework | NIST 800-53 Revision 5 |
Severity | ✔ Medium |
Rule Description
This rule ensures that at least one multi-region AWS CloudTrail is present in an account in compliance with the NIST 800-53 Revision 5 control requirements for logging and monitoring.
Troubleshooting Steps
If there is no multi-region AWS CloudTrail present in the account, follow these troubleshooting steps:
Verify AWS CloudTrail status: Check if AWS CloudTrail is enabled in the account. If not, enable it by following the AWS CloudTrail documentation.
Check CloudTrail regions: Ensure that CloudTrail is configured to capture logs across multiple AWS regions. Verify if logs are being recorded for the desired regions. If not, adjust the CloudTrail configuration accordingly.
Verify CloudTrail configuration: Review the CloudTrail configuration to ensure that it meets the requirements for multi-region logging. Confirm that appropriate S3 buckets, trails, and event selectors are configured.
Check CloudTrail log file delivery: Validate that CloudTrail log files are being delivered to the designated S3 bucket(s) for each region. Inspect the S3 bucket(s) to verify the presence of log files.
Review AWS CloudTrail permissions: Ensure that the IAM roles and policies associated with AWS CloudTrail have sufficient permissions to access and deliver logs across regions. Review and modify the IAM policies if required.
Verify multi-region logging compliance: Once the necessary changes are made, validate compliance by confirming the presence of a multi-region AWS CloudTrail in the account.
Code Examples
There are no specific code examples for this rule because it primarily involves configuring AWS CloudTrail and reviewing its settings. However, below are some snippets of AWS CLI commands that can be useful during the troubleshooting process:
Enabling AWS CloudTrail:
aws cloudtrail create-trail --name <trail-name> --s3-bucket-name <bucket-name> --is-multi-region-trail
Checking CloudTrail status:
aws cloudtrail describe-trails
Checking CloudTrail logs in S3 bucket:
aws s3 ls s3://<bucket-name>/<log-prefix>
Reviewing CloudTrail configuration:
aws cloudtrail describe-trail --name <trail-name>
Remediation Steps
To remediate the issue and ensure compliance with the NIST 800-53 Revision 5 requirement for multi-region AWS CloudTrail, follow these steps:
Enable AWS CloudTrail: If AWS CloudTrail is not enabled, use the AWS Management Console or AWS CLI to enable it for your account.
Configure multi-region logging: Update the CloudTrail configuration to include all desired regions. This can be done through the AWS Management Console or by using the AWS CLI command mentioned earlier.
Verify log file delivery: Ensure that CloudTrail log files are being delivered to the designated S3 bucket(s) for each region.
Review IAM roles and policies: Confirm that the IAM roles and policies associated with AWS CloudTrail have sufficient permissions to access and deliver logs across regions. Update the policies if necessary.
Validate multi-region logging compliance: Review the CloudTrail configuration and verify that a multi-region trail is present in the account.
Following these steps will help you remediate the issue and maintain compliance with the NIST 800-53 Revision 5 requirement.