Ensure Presence of Multi-Region AWS CloudTrail Rule
This rule ensures the presence of at least one multi-region AWS CloudTrail in an account.
| Rule | At least one multi-region AWS CloudTrail should be present in an account |
| Framework | NIST Cybersecurity Framework (CSF) v1.1 |
| Severity | ✔ Medium |
Rule Description
According to the NIST Cybersecurity Framework (CSF) v1, it is recommended to have at least one multi-region AWS CloudTrail present in an AWS account. AWS CloudTrail is a service that provides governance, compliance, operational auditing, and risk auditing of your AWS account. A multi-region CloudTrail enables the monitoring and logging of API activity across multiple AWS regions, providing a comprehensive view of events within your account.
Troubleshooting Steps
If you encounter any issues related to the multi-region AWS CloudTrail, the following troubleshooting steps can help in resolving them:
- 1.
Ensure CloudTrail is configured: Check if CloudTrail is already set up in your AWS account. If not, follow the remediation steps below to create a new CloudTrail.
- 2.
Verify required permissions: Ensure that the AWS Identity and Access Management (IAM) user or role used to create the CloudTrail has the necessary permissions. The user/role should have the
permission.cloudtrail:CreateTrail - 3.
Enable multi-region logging: Make sure that the CloudTrail trail is configured to log events from all regions. This setting can be found in the CloudTrail configuration options.
- 4.
Check CloudTrail status: Verify the status of the CloudTrail trail to ensure it is active and recording events. If the status is not active, review the CloudTrail configuration for any issues.
- 5.
Review CloudTrail event history: Use the CloudTrail event history to review any logged events. Look for any errors or anomalies that may indicate issues with the CloudTrail configuration or access to AWS resources.
- 6.
Check CloudTrail S3 bucket: Ensure that the S3 bucket used by CloudTrail to store logs is properly configured and accessible. Verify the correct bucket policy, access permissions, and encryption settings.
Necessary Codes
If you need to create a multi-region AWS CloudTrail, you can use the AWS Command Line Interface (CLI) to execute the following command:
aws cloudtrail create-trail --name <trail-name> --s3-bucket-name <bucket-name> --is-multi-region
Replace
<trail-name><bucket-name>Step-by-Step Guide for Remediation
Follow these step-by-step instructions to create a multi-region AWS CloudTrail:
- 1.
Open a terminal or command prompt.
- 2.
Install and configure the AWS CLI, if not already done. Ensure that the configured IAM user or role has the necessary permissions to create CloudTrail trails.
- 3.
Execute the following command to create the CloudTrail trail:
aws cloudtrail create-trail --name <trail-name> --s3-bucket-name <bucket-name> --is-multi-regionReplace
with a suitable name for the CloudTrail trail and<trail-name>
with the name of the S3 bucket where the logs will be stored.<bucket-name> - 4.
Verify that the CloudTrail trail is created successfully by checking the AWS Management Console or executing the following command:
aws cloudtrail describe-trails --trail-name-list <trail-name> - 5.
Enable logging for all regions by executing the following command:
aws cloudtrail update-trail --name <trail-name> --is-multi-region true - 6.
Review the CloudTrail configuration, including the S3 bucket settings, encryption settings, and other desired options. Make any necessary adjustments.
- 7.
Monitor the CloudTrail events and logs for operational, compliance, and governance purposes using tools like AWS CloudTrail console, Amazon CloudWatch, or other relevant tools.
By following these steps, you can create a multi-region AWS CloudTrail in your account, in compliance with the NIST Cybersecurity Framework (CSF) v1.