Ensure Presence of Multi-Region AWS CloudTrail Rule
This rule ensures at least one multi-region AWS CloudTrail is present in the account.
| Rule | At least one multi-region AWS CloudTrail should be present in an account |
| Framework | GxP 21 CFR Part 11 |
| Severity | ✔ Medium |
Rule Description
This rule ensures compliance with GxP 21 CFR Part 11 regulations by requiring the presence of at least one multi-region AWS CloudTrail in an AWS account.
AWS CloudTrail is a service that provides visibility and auditable logs for the activities and changes that occur within an AWS account. It helps in maintaining compliance and enables forensic investigations, security analysis, and troubleshooting.
For GxP 21 CFR Part 11 compliance, it is essential to have a multi-region CloudTrail configured. Multi-region configuration ensures that the logs are stored in multiple AWS regions, providing redundancy and resilience in case of any regional failure or disaster.
Troubleshooting Steps
If the multi-region AWS CloudTrail is not present, you can follow the steps below to troubleshoot:
- 1.
Verify AWS CloudTrail Service: Confirm that the AWS CloudTrail service is enabled in your AWS account. Without CloudTrail, it will not be possible to configure a multi-region trail.
- 2.
Check IAM Permissions: Ensure that your IAM user or role has the necessary permissions to create and configure a multi-region trail. The IAM entity should have appropriate IAM policies attached, such as "AWSCloudTrailFullAccess" or a custom policy with sufficient permissions.
- 3.
Check Region Availability: Make sure that the AWS region(s) you want to use for multi-region configuration are available and supported by CloudTrail. Refer to the AWS Regional Services List (https://aws.amazon.com/about-aws/global-infrastructure/regional-product-services/) to verify the availability of CloudTrail in the desired regions.
- 4.
Review Trail Configuration: If you have already configured a CloudTrail, double-check its configuration to ensure that it has been set up as a multi-region trail. Check the regions listed in the trail configuration to verify that logs are being captured from multiple regions.
Necessary Code
If you need to create a new multi-region AWS CloudTrail, you can use the AWS Command Line Interface (CLI) with the following command:
aws cloudtrail create-trail --name <trail-name> --is-multi-region --enable-log-file-validation --include-global-service-events
Replace
<trail-name>Step-by-Step Guide for Remediation
To remediate the absence of a multi-region CloudTrail, follow these steps:
- 1.
Log in to the AWS Management Console and navigate to the CloudTrail service.
- 2.
Click on "Trails" in the left sidebar.
- 3.
If you already have a trail configured, check if it is a multi-region trail by reviewing the "Trail Details" section. If it is a multi-region trail, ensure that it is active and capturing logs from all the required regions.
- 4.
If there is no existing trail or it is not a multi-region trail, click on "Create trail" to create a new trail.
- 5.
Provide a name for the trail in the "Trail name" field.
- 6.
Select the desired regions from the "Apply trail to all regions" dropdown. Choose multiple regions to configure a multi-region trail.
- 7.
Enable "Log file validation" to ensure the integrity and authenticity of CloudTrail log files.
- 8.
Enable "Include global service events" if you want to capture AWS global service events in your trail. This is useful for GxP 21 CFR Part 11 compliance.
- 9.
Click on "Create" to create the multi-region AWS CloudTrail.
- 10.
Once the trail is created, verify its status as "Active" and confirm that logs are being captured from all the specified regions.
Congratulations! You have now remediated the absence of a multi-region AWS CloudTrail for GxP 21 CFR Part 11 compliance.