Rule: CloudTrail trails should be integrated with CloudWatch logs
This rule ensures integration of CloudTrail trails with CloudWatch logs for enhanced monitoring and security.
| Rule | CloudTrail trails should be integrated with CloudWatch logs |
| Framework | NIST Cybersecurity Framework (CSF) v1.1 |
| Severity | ✔ Critical |
Rule Description:
The rule requires the integration of CloudTrail trails with CloudWatch logs to align with the NIST Cybersecurity Framework (CSF) v1. This integration enhances the security posture of the cloud environment by collecting and analyzing logs from the CloudTrail service and forwarding them to CloudWatch logs for further monitoring and analysis.
Troubleshooting Steps:
- 1.
Verify CloudTrail Configuration:
- Ensure that CloudTrail trails are correctly configured and enabled for the desired AWS regions.
- Validate that the trails are actively recording API activity within the AWS account.
- Confirm that the trails are storing the log files in an Amazon S3 bucket.
- 2.
Check CloudWatch Logs Configuration:
- Verify that CloudWatch logs are properly configured in the AWS account.
- Ensure that the necessary log groups are created to receive the CloudTrail logs.
- Confirm that the required IAM roles and permissions are in place to enable the integration.
- 3.
Verify IAM Roles and Permissions:
- Check if the necessary IAM roles and permissions are assigned to the CloudTrail service.
- Ensure that CloudTrail has the required permissions to deliver logs to CloudWatch logs.
- Confirm that the IAM roles have appropriate policies attached to enable the integration.
Necessary Code:
No specific code is required for this rule. However, you may need to use AWS CLI commands for troubleshooting and verifying the configuration.
Remediation Steps:
To integrate CloudTrail trails with CloudWatch logs, follow these step-by-step instructions:
- 1.
Open the AWS Management Console and navigate to the CloudTrail service.
- 2.
Select the appropriate CloudTrail trail that needs to be integrated with CloudWatch logs.
- 3.
Click on the "Edit" button to modify the trail configuration.
- 4.
In the "Storage location" section, ensure that the trail is configured to store log files in an Amazon S3 bucket.
- 5.
Scroll down to the "CloudWatch Logs" section and enable the toggle switch for "Enable CloudWatch Logs."
- 6.
Select the desired existing log group or create a new log group in CloudWatch logs to receive the CloudTrail logs.
- 7.
Choose the appropriate IAM role under "IAM Role" that allows CloudTrail to deliver logs to CloudWatch logs.
- 8.
Click on the "Save" button to apply the changes and enable the integration.
- 9.
Repeat the above steps for each CloudTrail trail that needs to be integrated with CloudWatch logs.
CLI Commands:
If you prefer using AWS CLI, here are the corresponding commands to enable CloudWatch integration for CloudTrail trails:
- 1.To enable CloudWatch logs integration for a CloudTrail trail:
aws cloudtrail update-trail --name <trail_name> --cloud-watch-logs-log-group-arn <log_group_arn> --cloud-watch-logs-role-arn <role_arn>
Replace
<trail_name><log_group_arn><role_arn>- 1.To verify CloudTrail integration with CloudWatch logs:
aws cloudtrail describe-trails --trail-name-list <trail_name>
Replace
<trail_name>Conclusion:
By integrating CloudTrail trails with CloudWatch logs as per the NIST Cybersecurity Framework (CSF) v1, the organization ensures improved monitoring and analysis of AWS API activity, enhancing the overall security posture and compliance with cybersecurity best practices.