Rule: Ensure Presence of Multi-Region AWS CloudTrail
This rule ensures the presence of at least one multi-region AWS CloudTrail in an account.
| Rule | At least one multi-region AWS CloudTrail should be present in an account |
| Framework | NIST 800-171 Revision 2 |
| Severity | ✔ Medium |
Rule Description:
This rule ensures compliance with the NIST 800-171 Revision 2 security requirement that at least one multi-region AWS CloudTrail should be present in an account. CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS account. By configuring a multi-region CloudTrail, you can capture AWS API activity across different regions, providing a comprehensive view of actions taken within your account.
Troubleshooting Steps:
- 1.
Verify CloudTrail is enabled: Check if the CloudTrail service is already enabled in your AWS account. To do this, follow these steps:
- Go to the AWS Management Console and log in to your account.
- Navigate to the CloudTrail service.
- If CloudTrail is not enabled, follow the necessary steps to enable it.
- 2.
Check if CloudTrail is configured for multi-region: Ensure that CloudTrail is configured to capture activity across multiple regions. To verify and configure multi-region logging, follow these steps:
- Access the CloudTrail service in the AWS Management Console.
- Select the appropriate trail from the list.
- Click on the "Edit" button.
- In the "Trail Details" section, check if the "Apply trail to all regions" option is enabled.
- If it's not enabled, click to enable it and save the changes.
- 3.
Review CloudTrail trails: Check if there are any existing CloudTrail trails that are not configured for multi-region logging:
- Navigate to the CloudTrail service in the AWS Management Console.
- Review the list of trails and identify any trails that are not configured for multi-region logging.
- Follow the steps mentioned earlier to enable multi-region logging for those trails or create a new multi-region trail if required.
- 4.
Verify IAM permissions: Ensure that the IAM (Identity and Access Management) user or role associated with your AWS account has the necessary permissions to configure and manage CloudTrail. To verify the IAM permissions, follow these steps:
- Go to the IAM service in the AWS Management Console.
- Locate and select the IAM user or role associated with your account.
- Check if the user or role has the required permissions for CloudTrail, such as "cloudtrail:CreateTrail" and "cloudtrail:UpdateTrail".
Code:
There isn't any specific code required for this rule. The configuration and management of CloudTrail can be done through the AWS Management Console or via AWS CLI commands.
Remediation:
To remediate this rule, follow the step-by-step guide below:
- 1.Access the AWS Management Console.
- 2.Navigate to the CloudTrail service.
- 3.If CloudTrail is not enabled, enable it by following the on-screen instructions.
- 4.Review the existing trails:
- Identify any trails that are not configured for multi-region logging.
- 5.For each trail:
- Click on the trail name to access its configuration.
- Click on the "Edit" button.
- Enable the "Apply trail to all regions" option.
- Save the changes.
- 6.If there are no existing trails or if you need to create a new multi-region trail:
- Click on the "Create trail" button.
- Provide a name for the trail.
- Enable the "Apply trail to all regions" option.
- Configure other desired settings (such as logging storage location, log file validation, etc.).
- Save the trail configuration.
- 7.Verify that CloudTrail is now configured with multi-region logging by reviewing the list of trails and checking their configurations.
By following these steps, you will ensure compliance with the NIST 800-171 Revision 2 requirement of having at least one multi-region AWS CloudTrail present in your account.