Rule: CloudTrail trails should be integrated with CloudWatch logs
This rule highlights the importance of integrating CloudTrail trails with CloudWatch logs for enhanced security.
| Rule | CloudTrail trails should be integrated with CloudWatch logs |
| Framework | CISA-cyber-essentials |
| Severity | ✔ Critical |
Rule Description: CloudTrail trails should be integrated with CloudWatch logs for CISA-cyber-essentials
Description:
CloudTrail is a service provided by AWS that enables auditing and monitoring of AWS account activities. It records actions taken by a user, role, or AWS service and stores them as event log files. CloudWatch Logs is a monitoring and logging service provided by AWS that allows you to collect, view, and search logs. Integrating CloudTrail with CloudWatch Logs provides additional visibility and security for your AWS account.
To comply with the CISA (Cybersecurity and Infrastructure Security Agency) Cyber Essentials, it is recommended to integrate CloudTrail trails with CloudWatch Logs. This ensures that any audit logs and event information captured by CloudTrail are sent to CloudWatch Logs for centralized monitoring and analysis.
Troubleshooting Steps:
- 1.
Verify if CloudTrail is enabled in your AWS account. Go to the AWS Management Console, navigate to CloudTrail, and check if there are any trails configured. If there are no trails, create a new trail.
- 2.
Check if CloudWatch Logs are enabled. Go to the AWS Management Console, navigate to CloudWatch, and click on "Logs" in the sidebar. Ensure that CloudWatch Logs are enabled and that there are log groups available.
- 3.
Review the CloudTrail trail configuration. Ensure that the trail is configured to send logs to CloudWatch Logs. Check the settings for your existing trails or configure a new trail to send logs to CloudWatch Logs.
- 4.
Verify if the IAM role associated with the trail has the necessary permissions to write logs to CloudWatch. If not, update the IAM role with the appropriate permissions.
- 5.
Check if there are any issues with the CloudWatch Logs subscription filter. If the logs are not appearing in CloudWatch, review the subscription filter configuration to ensure it is correctly set up.
Necessary Codes:
There are no specific codes required for this rule. Configuration steps can be performed through the AWS Management Console or CLI.
Step-by-Step Guide for Remediation:
- 1.
Open the AWS Management Console and navigate to the CloudTrail service.
- 2.
In the CloudTrail dashboard, click on "Trails" in the sidebar.
- 3.
If there are no trails configured, click on "Create trail" to create a new trail. If there are existing trails, select the desired trail to modify.
- 4.
In the "Create trail" or "Trail details" page, find the "Storage location" section.
- 5.
Check the box for "Send logs to CloudWatch Logs" and select the appropriate CloudWatch Logs log group from the dropdown menu.
- 6.
(Optional) Configure any additional settings for the trail, such as log file encryption or specific S3 bucket settings.
- 7.
Click on "Apply changes" or "Create" to save the changes.
- 8.
After integrating CloudTrail with CloudWatch Logs, verify the configuration and check if the logs are successfully appearing in CloudWatch Logs.
Please make sure to review the specific AWS documentation for detailed instructions and any updates related to configuring and integrating CloudTrail with CloudWatch Logs.