This rule ensures the presence of at least one multi-region AWS CloudTrail in an account.
Rule | At least one multi-region AWS CloudTrail should be present in an account |
Framework | NIST Cybersecurity Framework (CSF) v1.1 |
Severity | ✔ Medium |
Rule Description
This rule ensures that at least one multi-region AWS CloudTrail is present in an account to align with the NIST Cybersecurity Framework (CSF) v1.
The NIST CSF is a framework created to guide organizations in managing and improving their cybersecurity posture. It provides a set of industry standards, guidelines, and best practices for organizations to follow in order to protect their data, systems, and infrastructure.
One of the key recommendations in the NIST CSF is to enable logging and monitoring of events and activities within the IT environment. AWS CloudTrail, a service provided by Amazon Web Services (AWS), helps achieve this requirement by providing visibility into the API activity and resource utilization across the AWS account.
By ensuring the presence of at least one multi-region AWS CloudTrail, organizations can enhance their ability to detect and respond to security events and ensure compliance with the NIST CSF guidelines.
Troubleshooting Steps
If an AWS account does not have a multi-region CloudTrail configured, you can follow the troubleshooting steps below to address this issue:
Check existing CloudTrail configuration: Verify if CloudTrail is already configured in the account and region. If CloudTrail is configured, check if it is set up to capture logs in multiple regions.
Create a new multi-region CloudTrail: If there is no existing CloudTrail or if the existing configuration does not meet the multi-region requirement, you should create a new multi-region CloudTrail.
Update existing CloudTrail configuration: If an existing CloudTrail is present but is only capturing logs in a single region, you should update the configuration to make it multi-region.
Necessary Codes
The necessary AWS CLI commands to create a multi-region CloudTrail are as follows:
aws cloudtrail create-trail \ --name <trail-name> \ --s3-bucket-name <s3-bucket-name> \ --is-multi-region
Make sure to replace
<trail-name>
with the desired name for your CloudTrail and <s3-bucket-name>
with the name of the S3 bucket where CloudTrail logs should be stored.Step-by-Step Guide for Remediation
Follow the steps below to create or update a multi-region CloudTrail:
Step 1: Sign in to the AWS Management Console: Access the AWS Management Console using your AWS account credentials.
Step 2: Navigate to CloudTrail: Go to the CloudTrail service by either searching for it in the AWS services or selecting it from the list of recently used services.
Step 3: Create or select CloudTrail: If there is no existing CloudTrail configured, proceed to create a new one. Otherwise, select the existing CloudTrail to update the configuration.
Step 4: Configure CloudTrail settings:
Provide a unique name for the CloudTrail trail.
Choose an S3 bucket where CloudTrail logs will be stored. Make sure the bucket is configured correctly with the necessary access permissions.
Enable multi-region logging option to capture logs from all relevant AWS regions.
If updating an existing CloudTrail, ensure that the existing logs are not lost during the configuration update.
Step 5: Enable necessary logging options:
Step 6: Review and create/update CloudTrail: Review the configured settings and ensure they align with the requirements of the NIST CSF. Once confirmed, proceed to create a new CloudTrail or update the existing one.
The CloudTrail will now be created or updated to meet the necessary requirements, including being a multi-region trail for enhanced visibility into API activity and resource utilization across the AWS account.
Remember to regularly monitor and review the CloudTrail logs to detect and respond to any security events or anomalies in your AWS environment.