Ensure Presence of Multi-Region AWS CloudTrail Rule
This rule ensures the existence of at least one multi-region AWS CloudTrail in the account.
| Rule | At least one multi-region AWS CloudTrail should be present in an account |
| Framework | NIST 800-53 Revision 5 |
| Severity | ✔ Medium |
Rule Description:
To comply with the NIST 800-53 Revision 5 security control, every AWS account must have at least one multi-region AWS CloudTrail enabled. CloudTrail is an AWS service that provides a detailed trail of all activities occurring in an AWS account, including API calls, console sign-in events, and management events. Enabling CloudTrail with multi-region support helps to ensure comprehensive visibility across all regions in an AWS account, aiding in security monitoring, auditing, and compliance.
Troubleshooting Steps:
If there is no multi-region AWS CloudTrail currently present in the account, follow these troubleshooting steps:
- 1.
Verify CloudTrail service: Confirm that the AWS CloudTrail service is available in the AWS account. If not, ensure that you are using an AWS account with the necessary permissions to enable and manage CloudTrail.
- 2.
Enable multi-region support: Ensure that the CloudTrail configuration includes multi-region support. This ensures that logs are collected from all AWS regions where resources are provisioned or managed.
- 3.
Check CloudTrail trails: Verify if there are any existing CloudTrail trails in the AWS account. If trails are already configured, ensure they cover all necessary regions.
- 4.
Create a new trail: If no trails are present or if the existing trails do not cover all regions, create a new trail with multi-region support. You can use the AWS Command Line Interface (CLI) or the AWS Management Console to create a trail.
Necessary Codes:
If a new CloudTrail trail needs to be created using the AWS Command Line Interface (CLI), here is an example command:
aws cloudtrail create-trail --name trail-name --s3-bucket-name bucket-name --is-multi-region
Replace "trail-name" with the desired name for the CloudTrail trail, and "bucket-name" with the name of the S3 bucket where you want to store the CloudTrail logs.
Step-by-Step Guide for Remediation:
Follow these steps to remediate the non-compliance issue:
- 1.
Log in to the AWS Management Console using appropriate credentials.
- 2.
Navigate to the AWS CloudTrail service.
- 3.
Check if there are any existing trails with multi-region support. If present, ensure they cover the necessary regions. Proceed to step 7.
- 4.
If no trails are present, click on the "Create trail" button.
- 5.
Provide a suitable name for the trail in the "Trail name" field.
- 6.
Select the desired S3 bucket where CloudTrail logs will be stored from the "S3 bucket" dropdown menu. If a suitable bucket does not exist, create one beforehand.
- 7.
Enable multi-region support by checking the "Enable this trail for all regions" option.
- 8.
Configure additional trail settings as per your requirements, such as data events, log file validation, and delivery frequency.
- 9.
Click on the "Create" button to create the trail.
- 10.
Verify that the CloudTrail trail is successfully created and enabled for all necessary regions.
- 11.
Repeat the above steps for any additional AWS accounts to ensure compliance across the organization.
By following these steps, you will have successfully configured at least one multi-region AWS CloudTrail, thereby meeting the NIST 800-53 Revision 5 security control requirement.