Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Rule: CloudTrail trails should be integrated with CloudWatch logs

This rule ensures that CloudTrail trails are integrated with CloudWatch logs for enhanced monitoring and security.

RuleCloudTrail trails should be integrated with CloudWatch logs
FrameworkNIST Cybersecurity Framework (CSF) v1.1
Severity
Critical

Integration of AWS CloudTrail with CloudWatch Logs for NIST Cybersecurity Framework Compliance

Overview of the Rule

AWS CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS account. Integrating CloudTrail with CloudWatch Logs supports real-time monitoring and analysis, which is crucial for the NIST Cybersecurity Framework (CSF).

NIST CSF is a policy framework of computer security guidance for organizations to better manage and reduce cybersecurity risk. It's divided into five main functions: Identify, Protect, Detect, Respond, and Recover. Integrating CloudTrail with CloudWatch allows organizations to address several aspects of the 'Detect' function by providing a method to monitor and log activities that occur within their AWS environment.

Troubleshooting Steps

1. Ensure CloudTrail is Enabled

Before integration, ensure that CloudTrail is enabled in your AWS account.

2. Check IAM Permissions

Verify that your IAM user or role has the necessary permissions to create and configure CloudTrail and CloudWatch Logs.

3. Validate Log File Delivery

If CloudTrail logs are not appearing in CloudWatch Logs, check that the delivery is set up correctly and that there are no service interruptions or delivery delays.

4. Investigate CloudWatch Logs Configuration

Ensure that the correct log group and log stream are specified and that they adhere to any set retention policies.

Necessary AWS CLI Commands

1. Create a new CloudTrail trail:

aws cloudtrail create-trail --name YourTrailName --s3-bucket-name YourS3BucketName --is-multi-region-trail

2. Start logging:

aws cloudtrail start-logging --name YourTrailName

3. Create a CloudWatch Logs log group:

aws logs create-log-group --log-group-name YourLogGroupName

4. Create a CloudWatch Logs log stream:

aws logs create-log-stream --log-group-name YourLogGroupName --log-stream-name YourLogStreamName

5. Update the trail to send events to CloudWatch Logs:

aws cloudtrail update-trail --name YourTrailName --cloud-watch-logs-log-group-arn YourLogGroupARN --cloud-watch-logs-role-arn YourRoleARN

Step by Step Guide for Remediation

Step 1: Verify CloudTrail Configuration

  1. 1.
    Log in to the AWS Management Console.
  2. 2.
    Navigate to the CloudTrail dashboard.
  3. 3.
    Ensure that a trail is configured and running.

Step 2: Create an IAM Role

Create an IAM role with the necessary permissions to allow CloudTrail to publish events to CloudWatch Logs. Attach the

CloudWatchLogsFullAccess
and
CloudTrailFullAccess
policies.

Step 3: Create and Configure Log Group

  1. 1.
    Open the CloudWatch console.
  2. 2.
    Create a new log group where CloudTrail will send its logs.

Step 4: Integrate CloudTrail with CloudWatch Logs

  1. 1.
    Execute the necessary AWS CLI commands to integrate CloudTrail with CloudWatch Logs (as provided above).
  2. 2.
    Verify integration through the AWS Management Console or via CLI by looking at the CloudTrail event history.

Step 5: Set Up Monitoring and Alerts

  1. 1.
    Within the CloudWatch logs, define metric filters to monitor specific events.
  2. 2.
    Create alarms based on those metrics to get real-time alerts for unusual or unauthorized activities.

By completing these steps, AWS CloudTrail will be successfully integrated with CloudWatch Logs, thus reinforcing your AWS environment's compliance with the NIST Cybersecurity Framework. Regularly review and update your configurations to remain compliant as AWS services evolve.

Is your System Free of Underlying Vulnerabilities?
Find Out Now