This rule ensures integration of CloudTrail trails with CloudWatch logs.
Rule | CloudTrail trails should be integrated with CloudWatch logs |
Framework | RBI Cyber Security Framework |
Severity | ✔ Critical |
Rule/Policy Description:
The rule/policy states that CloudTrail trails should be integrated with CloudWatch logs to meet the requirements outlined in the RBI (Reserve Bank of India) Cyber Security Framework. This integration ensures the necessary monitoring and logging capabilities to identify and respond to potential security incidents within the cloud environment.
By integrating CloudTrail with CloudWatch logs, organizations can collect, consolidate, and analyze log data from multiple AWS services, including CloudTrail, in a centralized location for enhanced visibility and threat detection purposes.
Troubleshooting Steps:
While setting up the integration between CloudTrail and CloudWatch logs, you may encounter some common issues. Here are the troubleshooting steps to resolve them:
Missing Permissions: Ensure that the IAM (Identity and Access Management) user or role used to create the CloudWatch Logs integration has the necessary permissions. Ensure that the IAM entity has the
cloudwatch:CreateLogStream
and cloudwatch:PutLogEvents
permissions on the CloudWatch Logs group you are using.Incorrect Log Group Configuration: Double-check the CloudWatch Logs group configuration to ensure it matches the intended setup. Pay attention to the log group name and region used during the configuration process.
CloudTrail and CloudWatch Logs in Different Regions: Confirm that both CloudTrail and CloudWatch logs are configured in the same region. Cross-region integration is not supported for CloudTrail and CloudWatch logs.
Disabled Trail Logging: Ensure that the CloudTrail trail is enabled for logging. If logging is disabled, no logs will be sent to CloudWatch.
Necessary Codes:
There are no specific codes provided in the rule/policy description. However, you may need to use AWS CLI (Command Line Interface) commands to configure CloudTrail and CloudWatch logs integration. The following commands can help you with the setup:
# Create a CloudWatch Logs group aws logs create-log-group --log-group-name <LogGroupName> # Create a CloudTrail trail and enable logging aws cloudtrail create-trail --name <TrailName> --s3-bucket-name <S3BucketName> --is-multi-region-trail --enable-log-file-validation --include-global-service-events # Update the trail to send logs to CloudWatch Logs aws cloudtrail update-trail --name <TrailName> --cloud-watch-logs-log-group-arn <LogGroupARN> --cloud-watch-logs-role-arn <LogRoleARN>
Make sure to replace
<LogGroupName>
, <TrailName>
, <S3BucketName>
, <LogGroupARN>
, and <LogRoleARN>
with your specific configuration details.Step-by-Step Guide for Integration:
Follow the step-by-step guide below to integrate CloudTrail trails with CloudWatch logs:
Create a CloudWatch Logs Group:
Create a CloudTrail Trail:
Update the Trail to Send Logs to CloudWatch Logs:
Once the configuration is completed, CloudTrail logs will be sent to the specified CloudWatch Logs group, enabling you to monitor and analyze the logs using CloudWatch features and capabilities.
Note: It's important to review and fine-tune the cloud logging configuration periodically to ensure the effectiveness of this security control.