This rule ensures that CloudTrail trails are integrated with CloudWatch logs for enhanced monitoring and security.
Rule | CloudTrail trails should be integrated with CloudWatch logs |
Framework | NIST Cybersecurity Framework (CSF) v1.1 |
Severity | ✔ Critical |
Integration of AWS CloudTrail with CloudWatch Logs for NIST Cybersecurity Framework Compliance
Overview of the Rule
AWS CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS account. Integrating CloudTrail with CloudWatch Logs supports real-time monitoring and analysis, which is crucial for the NIST Cybersecurity Framework (CSF).
NIST CSF is a policy framework of computer security guidance for organizations to better manage and reduce cybersecurity risk. It's divided into five main functions: Identify, Protect, Detect, Respond, and Recover. Integrating CloudTrail with CloudWatch allows organizations to address several aspects of the 'Detect' function by providing a method to monitor and log activities that occur within their AWS environment.
Troubleshooting Steps
1. Ensure CloudTrail is Enabled
Before integration, ensure that CloudTrail is enabled in your AWS account.
2. Check IAM Permissions
Verify that your IAM user or role has the necessary permissions to create and configure CloudTrail and CloudWatch Logs.
3. Validate Log File Delivery
If CloudTrail logs are not appearing in CloudWatch Logs, check that the delivery is set up correctly and that there are no service interruptions or delivery delays.
4. Investigate CloudWatch Logs Configuration
Ensure that the correct log group and log stream are specified and that they adhere to any set retention policies.
Necessary AWS CLI Commands
1. Create a new CloudTrail trail:
aws cloudtrail create-trail --name YourTrailName --s3-bucket-name YourS3BucketName --is-multi-region-trail
2. Start logging:
aws cloudtrail start-logging --name YourTrailName
3. Create a CloudWatch Logs log group:
aws logs create-log-group --log-group-name YourLogGroupName
4. Create a CloudWatch Logs log stream:
aws logs create-log-stream --log-group-name YourLogGroupName --log-stream-name YourLogStreamName
5. Update the trail to send events to CloudWatch Logs:
aws cloudtrail update-trail --name YourTrailName --cloud-watch-logs-log-group-arn YourLogGroupARN --cloud-watch-logs-role-arn YourRoleARN
Step by Step Guide for Remediation
Step 1: Verify CloudTrail Configuration
Step 2: Create an IAM Role
Create an IAM role with the necessary permissions to allow CloudTrail to publish events to CloudWatch Logs. Attach the
CloudWatchLogsFullAccess
and CloudTrailFullAccess
policies.Step 3: Create and Configure Log Group
Step 4: Integrate CloudTrail with CloudWatch Logs
Step 5: Set Up Monitoring and Alerts
By completing these steps, AWS CloudTrail will be successfully integrated with CloudWatch Logs, thus reinforcing your AWS environment's compliance with the NIST Cybersecurity Framework. Regularly review and update your configurations to remain compliant as AWS services evolve.