Rule: At Least One Enabled Trail Should Be Present in a Region

This rule ensures that at least one enabled trail is present in a specific region for compliance.

Rule	At least one enabled trail should be present in a region
Framework	NIST Cybersecurity Framework (CSF) v1.1
Severity	✔ Low

Rule Description:

At least one enabled trail should be present in a specific region to comply with the NIST Cybersecurity Framework (CSF) v1. This rule ensures that AWS CloudTrail is properly configured to log events and monitor any suspicious activities related to your resources in the specified region. Enabling CloudTrail helps in maintaining security and meeting compliance requirements such as the NIST CSF.

Troubleshooting Steps:

1.
Check if CloudTrail is enabled in the desired region by logging in to the AWS Management Console.

2.
Go to the CloudTrail service and select the appropriate region from the top-right corner.

3.
Ensure that there is an enabled trail present for the region and that it is actively logging events.

4.
If no trail is present or the existing trail is not enabled, follow the remediation steps below.

Remediation Steps:

Follow the steps below to create and enable a CloudTrail trail in the specified region:

AWS Management Console:

1.
Log in to the AWS Management Console.

2.
Navigate to the CloudTrail service.

3.
Click on the "Trails" option from the left-hand menu.

4.
Click the "Create trail" button.

5.
Enter a name for the trail (e.g., "CSF Trail") and optionally provide a description.

6.
Select the appropriate region from the dropdown menu.

7.
Choose the desired storage location for the CloudTrail logs (S3 bucket).

8.
Configure additional settings as per your requirements (e.g., log file validation, encryption, etc.).

9.
Enable the trail by checking the "Enable CloudTrail" checkbox.

10.
Select the desired management events and data events that you want to include in the trail.

11.
Review the settings and click on the "Create trail" button to create and enable the CloudTrail trail.

AWS CLI:

1.
Install or update the AWS CLI to the latest version.

2.
Open a terminal or command prompt.

3.
Run the following command to create a new trail:

aws cloudtrail create-trail --name CSF_Trail --s3-bucket-name <your_s3_bucket_name> --region <desired_region> --is-multi-region-trail

1.
Enable the trail using the following command:

aws cloudtrail start-logging --name CSF_Trail

Please note that

<your_s3_bucket_name>

should be replaced with the name of your S3 bucket where CloudTrail logs will be stored, and

<desired_region>

should be replaced with the desired AWS region code.

Verification:

To verify if the CloudTrail trail is enabled and logging events in the specified region, follow these steps:

1.
Log in to the AWS Management Console.

2.
Navigate to the CloudTrail service.

3.
Select the appropriate region from the top-right corner.

4.
Locate the trail created in the remediation steps or confirm that an existing trail is enabled.

5.
Check the trail status, which should be "Logging" if events are being properly logged.

6.
Review the CloudTrail events to ensure that they are capturing the necessary information.

By following these steps, you can ensure compliance with the NIST Cybersecurity Framework (CSF) v1 by having at least one enabled trail in the specified region.

Rule: At Least One Enabled Trail Should Be Present in a Region

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}AWS Management Console:

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}AWS CLI:

Is your System Free of Underlying Vulnerabilities? Find Out Now

AWS Management Console:

AWS CLI:

Is your System Free of Underlying Vulnerabilities?
Find Out Now