Rule: CloudTrail trails should be integrated with CloudWatch logs
This rule ensures that CloudTrail trails are integrated with CloudWatch logs for enhanced monitoring and security measures.
| Rule | CloudTrail trails should be integrated with CloudWatch logs |
| Framework | Federal Financial Institutions Examination Council (FFIEC) |
| Severity | ✔ Critical |
CloudTrail Integration with CloudWatch Logs for FFIEC Compliance
Integrating AWS CloudTrail with CloudWatch Logs is crucial for financial institutions that need to be compliant with the Federal Financial Institutions Examination Council (FFIEC) guidelines. This configuration ensures the ability to continuously monitor, record, and retain account activity related to actions across your AWS infrastructure, providing a key component of an effective security and compliance regime.
Benefits of Integration
- Real-time Monitoring: Continuous surveillance of user and resource activity.
- Event History: Documentation of historical data for security analysis and compliance auditing.
- Automated Responses: Triggering alarms and automated actions based on specific events.
Prerequisites
- AWS account with required permissions.
- Existing CloudTrail trail and CloudWatch Logs log group (or the permissions to create them).
Step 1: Create/Select a CloudTrail Trail
Ensure you have a CloudTrail trail set up. If not, create one by:
aws cloudtrail create-trail --name YourTrailName --s3-bucket-name YourS3BucketName
Step 2: Create/Select CloudWatch Log Group
If you don't already have a CloudWatch Log Group created, establish one using:
aws logs create-log-group --log-group-name YourLogGroupName
Step 3: Integrate CloudTrail with CloudWatch Logs
Associate CloudTrail with CloudWatch Logs:
aws cloudtrail put-event-selectors --trail-name YourTrailName --event-selectors file://event-selectors.json
In
event-selectors.jsonCreate a new IAM role for the logs:
This IAM role allows CloudTrail to send logs to CloudWatch.
# Create a policy file with the required permissions (policy.json) # Attach the policy to the IAM role aws iam create-role --role-name CloudTrail_CloudWatchLogs_Role --assume-role-policy-document file://trust-policy.json aws iam put-role-policy --role-name CloudTrail_CloudWatchLogs_Role --policy-name CloudTrail_CloudWatchLogs_Policy --policy-document file://policy.json
Ensure
policy.jsontrust-policy.jsonUpdate the trail to use the new role and log group:
aws cloudtrail update-trail --name YourTrailName --cloud-watch-logs-log-group-arn arn:aws:logs:region:account-id:log-group:YourLogGroupName --cloud-watch-logs-role-arn arn:aws:iam::account-id:role/CloudTrail_CloudWatchLogs_Role
Step 4: Configure Monitoring and Alarms
With the integration complete, you can now create metric filters and alarms to monitor specific activity. For instance:
# Create a metric filter aws logs put-metric-filter --log-group-name YourLogGroupName --filter-name "FilterName" --filter-pattern '{($.errorCode = "*UnauthorizedOperation") || ($.errorCode = "AccessDenied*")}' --metric-transformations metricName=ExampleMetric,metricNamespace='CloudTrailMetrics',metricValue=1 # Create an alarm aws cloudwatch put-metric-alarm --alarm-name "UnauthorizedActivityAlarm" --metric-name ExampleMetric --namespace 'CloudTrailMetrics' --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --alarm-actions arn:aws:sns:region:account-id:alarm-topic
Troubleshooting Steps
If you encounter issues with the integration:
- 1.Check IAM role and policy: Make sure that the IAM role has correct permissions and is correctly assumed by CloudTrail.
- 2.Validate CloudTrail configuration: Verify that CloudTrail is correctly configured and is actively monitoring the AWS account.
- 3.Inspect CloudWatch Logs: Ensure that CloudTrail events are visible in the CloudWatch Logs log group.
- 4.Check metric filters and alarms: Verify that filters and alarms are correctly configured to monitor for the desired events.
Following these steps will help meet FFIEC compliance by establishing the necessary audit trails and real-time monitoring of AWS environments. Remember that while this guide is detailed, it might require custom adjustments to fit specific organizational needs and compliance requirements.