CloudTrail Trails Integrated with CloudWatch Logs Rule
This rule ensures CloudTrail trails are integrated with CloudWatch logs.
| Rule | CloudTrail trails should be integrated with CloudWatch logs |
| Framework | NIST 800-53 Revision 5 |
| Severity | ✔ Critical |
Rule Description
According to the NIST 800-53 Revision 5 security guidelines, CloudTrail trails should be integrated with CloudWatch logs. This integration helps in centralizing and analyzing the logs generated by CloudTrail for enhanced security monitoring and compliance.
Integrating CloudTrail with CloudWatch logs ensures that all CloudTrail events are recorded and stored securely. This enables security teams to promptly detect and respond to any suspicious or unauthorized activity within the AWS environment.
Troubleshooting Steps
1. Verify CloudTrail Trail Configuration
- Check the CloudTrail trail configuration to ensure that logging is enabled. - Ensure that the trail is capturing the required events and is not configured to ignore any specific events. - Validate the settings for the CloudTrail trail, including log file validation and multi-region trail settings.
2. Verify IAM Permission for CloudTrail and CloudWatchLogs
- Ensure that the AWS Identity and Access Management (IAM) user or role associated with CloudTrail has the necessary permissions to write logs to CloudWatch Logs. - Verify that the CloudTrail IAM role has the correct IAM policy attached, allowing it to write logs to CloudWatch Logs.
3. Check CloudWatch Logs Configuration
- Verify that the CloudWatch Logs group and stream settings are correctly configured. - Ensure that the CloudWatch Logs group and stream names match the desired configuration. - Confirm that retention settings for CloudWatch Logs are appropriately configured to meet compliance requirements.
4. Review CloudWatch Logs Log Group Subscriptions
- Check if there are any subscriptions to the CloudWatch Logs log group associated with CloudTrail. - Verify that the CloudWatch Logs log group has no unnecessary or unauthorized subscriptions.
5. Review Error Messages or Notifications
- Keep an eye on CloudTrail and CloudWatch Logs for any error messages or notifications that might indicate issues with the integration. - Address any reported errors promptly to ensure the proper functioning of CloudTrail and CloudWatch Logs integration.
Necessary Codes
CloudFormation Template for CloudTrail and CloudWatch Logs Integration
To integrate CloudTrail with CloudWatch logs, you can use the following CloudFormation template:
AWSTemplateFormatVersion: '2010-09-09' Resources: CloudTrail: Type: 'AWS::CloudTrail::Trail' Properties: IsLogging: true IsMultiRegionTrail: false EnableLogFileValidation: true CloudWatchLogsLogGroupArn: !Ref CloudWatchLogsGroup CloudWatchLogsRoleArn: !Ref CloudWatchLogsRole IncludeGlobalServiceEvents: true TrailName: my-cloudtrail-trail CloudWatchLogsGroup: Type: 'AWS::Logs::LogGroup' Properties: LogGroupName: /aws/cloudtrail/my-trail-name CloudWatchLogsRole: Type: 'AWS::IAM::Role' Properties: RoleName: cloudtrail-cloudwatch-logs-role AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Principal: Service: - cloudtrail.amazonaws.com Action: - 'sts:AssumeRole' Policies: - PolicyName: AllowAccessToCloudWatchLogs PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: - 'logs:CreateLogStream' - 'logs:PutLogEvents' Resource: '*'
Remediation Steps
- 1.
Verify CloudTrail Trail Configuration:
- Open the AWS Management Console.
- Go to the CloudTrail service.
- Select the desired trail.
- Ensure that the trail logging is enabled.
- Check the trail settings and make any necessary modifications.
- Save the changes.
- 2.
Verify IAM Permission for CloudTrail and CloudWatchLogs:
- Open the AWS Management Console.
- Go to the IAM service.
- Search for the IAM user or role associated with CloudTrail.
- Check the attached IAM policies and ensure that they allow writing logs to CloudWatch Logs.
- Update the IAM policy if required.
- 3.
Check CloudWatch Logs Configuration:
- Open the AWS Management Console.
- Go to the CloudWatch service.
- Select "Logs" from the side menu.
- Verify the CloudWatch Logs group configuration.
- Check the log group name and ensure it is consistent with the desired configuration.
- Adjust retention settings if necessary.
- 4.
Review CloudWatch Logs Log Group Subscriptions:
- Open the AWS Management Console.
- Go to the CloudWatch service.
- Select "Logs" from the side menu.
- Find the log group associated with CloudTrail.
- Review the log group subscriptions and remove any unnecessary or unauthorized subscriptions.
- 5.
Review Error Messages or Notifications:
- Open the AWS Management Console.
- Go to the CloudTrail service.
- Check for any error messages or notifications regarding the integration.
- Investigate and resolve any reported errors or issues.
By following the above troubleshooting and remediation steps, you can ensure that your CloudTrail trails are properly integrated with CloudWatch logs as per the NIST 800-53 Revision 5 recommendation.