Rule: At Least One Enabled Trail Should be Present in a Region
This rule ensures at least one enabled CloudTrail trail is present in a specific region.
| Rule | At least one enabled trail should be present in a region |
| Framework | FedRAMP Moderate Revision 4 |
| Severity | ✔ Low |
Rule Description:
The rule requires the presence of at least one enabled trail in a specific region to comply with the FedRAMP (Federal Risk and Authorization Management Program) Moderate Revision 4 regulations. FedRAMP is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services used by federal agencies.
Troubleshooting Steps:
If the requirement is not met, follow these troubleshooting steps to ensure compliance:
- 1.
Check the AWS Management Console to verify if any trail has been created and enabled in the specific region specified by the rule.
- 2.
If no trail exists, create a new trail using the AWS Command Line Interface (CLI) or the AWS Management Console. Ensure that the trail is enabled and set to capture all required events.
- 3.
If the trail exists but is not enabled, enable the trail by navigating to the CloudTrail service in the AWS Management Console, selecting the trail, and enabling it.
- 4.
Once the trail is enabled, review the settings to ensure that it captures all the necessary events as per FedRAMP Moderate Revision 4 requirements. Adjust the trail configuration if needed.
- 5.
After enabling and configuring the trail, verify if the rule compliance is reflected in the AWS Security Hub or any other compliance monitoring tool that you are using.
Necessary Code:
Here's an example of the AWS CLI command to create a new trail:
aws cloudtrail create-trail --name <trail-name> --s3-bucket-name <s3-bucket-name> --is-multi-region-trail --include-global-service-events
This command creates a new trail with the specified trail name and enables the capturing of global service events. Replace
<trail-name><s3-bucket-name>Step-by-Step Guide:
Follow these steps to ensure compliance with the FedRAMP Moderate Revision 4 requirement of having at least one enabled trail in a specific region:
- 1.
Sign in to the AWS Management Console.
- 2.
Open the CloudTrail service.
- 3.
Check if there is already a trail created and enabled in the required region. If not, proceed to the next step.
- 4.
Click on the "Trails" tab and then click "Create a trail".
- 5.
Provide a suitable name for the trail in the "Trail name" field.
- 6.
Choose the S3 bucket where you want the trail logs to be stored from the "Storage Location" dropdown menu. If no bucket exists, create a new bucket and select it.
- 7.
Enable the "Apply trail to all regions" option if required.
- 8.
Enable the "Include global service events" option if required.
- 9.
Specify the settings for log file encryption, if desired.
- 10.
Configure additional settings such as data events or management events filtering, if required for compliance.
- 11.
Click "Create" to create the trail.
- 12.
Once the trail is created, go back to the "Trails" tab and select the newly created trail.
- 13.
Click "Edit" and ensure that the trail is enabled if it's not already.
- 14.
Review the trail configuration and adjust if necessary to comply with FedRAMP Moderate Revision 4 requirements.
- 15.
Verify the compliance status in the AWS Security Hub or any other compliance monitoring tool being used.
By following these steps, you will ensure compliance with the FedRAMP Moderate Revision 4 rule, which mandates the presence of at least one enabled trail in the specified region.