Rule: CloudTrail trails integration with CloudWatch Logs
This rule ensures CloudTrail trails are integrated with CloudWatch Logs.
| Rule | CloudTrail trails should be integrated with CloudWatch Logs |
| Framework | PCI v3.2.1 |
| Severity | ✔ Low |
Rule Description
The rule states that CloudTrail trails should be integrated with CloudWatch Logs for PCI v3 compliance. This integration helps to monitor and analyze the API activity in your AWS account, which is important for maintaining the security and compliance standards required by the Payment Card Industry Data Security Standard (PCI DSS) version 3.
Troubleshooting Steps
If the integration between CloudTrail and CloudWatch Logs is not properly set up or functioning, you may encounter issues with monitoring and analyzing the API activity in your AWS account. Here are some troubleshooting steps you can follow:
- 1.Verify CloudTrail Trail Configuration: Ensure that you have created a CloudTrail trail and it is configured correctly to capture the required events for PCI compliance.
- 2.Check CloudWatch Log Group Subscription: Confirm that the CloudTrail trail is subscribed to a CloudWatch Log Group. If the subscription does not exist or is incorrect, you will need to create or update it accordingly.
- 3.Review IAM Role Permissions: Make sure that the IAM role assigned to the CloudTrail trail has the necessary permissions to write logs to the specified CloudWatch Log Group. Also, verify that the IAM role has the required trust relationships with CloudTrail and CloudWatch Logs.
- 4.Check CloudWatch Log Group Permissions: Ensure that the IAM role associated with the CloudTrail trail has the necessary permissions to write logs to the CloudWatch Log Group. Additionally, ensure that the IAM role/policy allows you to access and analyze the logs stored in the log group.
Necessary Codes
If the CloudTrail trail is not already integrated with CloudWatch Logs, you will need to create or update the necessary configuration using AWS Command Line Interface (CLI) commands or AWS Management Console. Here are the steps to perform using CLI commands:
Create a CloudWatch Log Group (if not already created)
aws logs create-log-group --log-group-name <log-group-name>
Create or update CloudTrail Trail to integrate with CloudWatch Logs
aws cloudtrail update-trail --name <trail-name> --cloud-watch-logs-log-group-arn <log-group-arn> --cloud-watch-logs-role-arn <role-arn>
Replace
<log-group-name><trail-name><log-group-arn><role-arn>Remediation Steps
To ensure compliance with the PCI v3 rule, you should follow these step-by-step remediation instructions:
- 1.Review Current Configuration: Check if there is an existing CloudTrail trail in your AWS account and note down its configuration settings.
- 2.Create a CloudWatch Log Group (if needed): If you don't have a suitable CloudWatch Log Group, create one using the AWS Management Console or CLI command mentioned above.
- 3.Integrate CloudTrail with CloudWatch Logs: Update the CloudTrail trail configuration to integrate it with the CloudWatch Log Group. Use the CLI command provided earlier and replace the placeholders with the appropriate values.
- 4.Verify Integration: Once the update is completed, verify that the CloudTrail trail is properly integrated with the CloudWatch Log Group.
- 5.Test Logging: Perform some API actions in your AWS account to generate logs and ensure that they are being captured in the CloudWatch Log Group.
- 6.Monitor Logs: Regularly monitor the logs stored in the CloudWatch Log Group to analyze the API activity for compliance and security purposes.
- 7.Periodic Review: Periodically review the CloudTrail and CloudWatch Logs integration to ensure it remains in compliance with PCI v3 requirements.
By following these steps, you can ensure that your CloudTrail trails are integrated with CloudWatch Logs for PCI v3 compliance and have a robust monitoring system in place for your AWS account.