Rule: CloudTrail trails should be integrated with CloudWatch logs
This rule ensures integration of CloudTrail trails with CloudWatch logs for enhanced monitoring and auditing.
| Rule | CloudTrail trails should be integrated with CloudWatch logs |
| Framework | FedRAMP Moderate Revision 4 |
| Severity | ✔ Critical |
Rule Description
CloudTrail is a service in AWS that enables governance, compliance, operational auditing, and risk auditing of your AWS account. It records all API calls made within your AWS environment. CloudWatch Logs is a service that enables you to collect, monitor, and analyze log data generated from various sources within AWS.
To comply with the FedRAMP Moderate Revision 4 requirement, CloudTrail trails should be integrated with CloudWatch Logs. This integration assists in centralizing and securely storing AWS API logs in real-time. By enabling this integration, you ensure compliance with security standards and enhance your ability to monitor and investigate any suspicious activity within your AWS account.
Troubleshooting Steps
If you encounter any issues while integrating CloudTrail with CloudWatch Logs, follow these troubleshooting steps:
- 1.
Check IAM Roles: Ensure that the IAM role used by the CloudTrail service has the necessary permissions to write logs to CloudWatch Logs. Verify that the IAM role has the
andcloudtrail:PutLogEvents
permissions.cloudtrail:CreateLogStream - 2.
Verify CloudTrail Trail Configuration: Double-check the configuration settings for your CloudTrail trail. Ensure that you have selected the appropriate log group in CloudWatch Logs to receive the CloudTrail logs.
- 3.
Check AWS Regions: Make sure that both CloudTrail and CloudWatch Logs are operating in the same AWS region. If they are in different regions, you won't be able to integrate them.
- 4.
CloudWatch Logs Agent Configuration: If you are using an EC2 instance to run the CloudWatch Logs agent, verify the agent configuration file. Ensure that the log file directory, log group name, and log stream name are correctly specified.
- 5.
CloudTrail Log File Integrity: If CloudTrail log files are not showing up in CloudWatch Logs, ensure that the log files are being delivered to the S3 bucket associated with your CloudTrail trail. Check for any errors or issues with log file delivery.
- 6.
Retry Log Events: If log events are not being displayed in CloudWatch Logs, try restarting your CloudTrail trail. This can help resolve temporary communication issues between CloudTrail and CloudWatch Logs.
Necessary Codes
No specific codes are required for integrating CloudTrail with CloudWatch Logs. However, you may need to use the AWS CLI or AWS Management Console to modify CloudTrail trail settings or check CloudWatch Logs configurations.
Step-by-Step Guide for Integration
Follow these steps to integrate CloudTrail with CloudWatch Logs:
- 1.
Open the AWS Management Console: Sign in to the AWS Management Console using your credentials.
- 2.
Navigate to the CloudTrail service: In the AWS Management Console, search for "CloudTrail" in the search bar or locate it under the "Management & Governance" category.
- 3.
Select your CloudTrail trail: Click on the CloudTrail trail that you want to integrate with CloudWatch Logs from the list of trails available.
- 4.
Click on "Edit" next to "CloudWatch Logs": In the CloudTrail trail details page, scroll down to the "CloudWatch Logs" section and click on the "Edit" button.
- 5.
Choose an existing log group or create a new one: You can either select an existing log group or create a new one to receive the CloudTrail logs. If you choose to create a new log group, enter a name for the log group and click on "Create a new log group".
- 6.
Save the changes: After selecting or creating the log group, click on the "Save" button to save the integration settings.
- 7.
Verify the integration: Once the changes are saved, verify that the CloudTrail trail status shows "Logging" and the CloudWatch Logs field shows the selected log group name.
By following these steps, you will successfully integrate CloudTrail with CloudWatch Logs, ensuring compliance with FedRAMP Moderate Revision 4 requirements.