Rule: At Least One Enabled Trail Presence Required
This rule ensures the presence of at least one enabled trail in a region.
| Rule | At least one enabled trail should be present in a region |
| Framework | NIST Cybersecurity Framework (CSF) v1.1 |
| Severity | ✔ Low |
Rule Description:
This rule ensures that at least one enabled trail is present in a specific region to meet the requirement of the NIST Cybersecurity Framework (CSF) v1. Trails are used to capture and log events in AWS CloudTrail, providing visibility into account activity and ensuring a comprehensive audit trail for security and compliance purposes.
Troubleshooting Steps:
If the rule is not compliant, here are some troubleshooting steps to help resolve the issue:
- 1.
Check CloudTrail service: Ensure that the CloudTrail service is enabled in the AWS Management Console.
- 2.
Verify region-specific trails: Ensure that there is at least one enabled trail available in the specific region mentioned in the rule.
- 3.
Trail status: Verify the status of each trail to ensure they are enabled. Trails can be enabled or disabled manually, so check if any trails have been inadvertently disabled.
- 4.
Trail configuration: Review the specific trail configuration to ensure it is set up correctly. Check for any missing settings or incorrect configurations that could cause the trail to be non-compliant.
- 5.
Permissions: Validate that the user or role running the compliance check has sufficient permissions to access and modify CloudTrail resources.
Necessary Code:
No specific code is needed for this rule. However, you can use AWS Command Line Interface (CLI) commands to troubleshoot and manage CloudTrail configuration if required.
Remediation Steps:
Follow these steps to remediate the non-compliant status:
- 1.
Log in to the AWS Management Console.
- 2.
Open the CloudTrail service.
- 3.
Select the specific region mentioned in the non-compliant rule.
- 4.
Ensure that at least one trail is listed and that its status is enabled.
- 5.
If there are no trails or the existing trail is disabled, click on "Create trail" to set up a new trail.
- 6.
Configure the trail settings according to your requirements, including the trail name, S3 bucket for log storage, and optional configurations such as log file encryption and CloudWatch Logs integration.
- 7.
Enable the trail by checking the box for "Enable logging" or updating the trail settings if it is already created but disabled.
- 8.
Review the trail settings and ensure that all configurations align with your security and compliance needs.
- 9.
Click "Create" or "Save" to create or update the trail.
- 10.
Wait for a few minutes to allow the trail to become active and start capturing the relevant events.
- 11.
Perform a compliance check to verify if the rule is now compliant.
By following these steps, you will ensure that at least one enabled trail is present in the specified region, meeting the requirement of the NIST Cybersecurity Framework (CSF) v1.