Login

Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Ensure Presence of Multi-Region AWS CloudTrail Rule

This rule ensures the existence of at least one multi-region AWS CloudTrail in the account.

RuleAt least one multi-region AWS CloudTrail should be present in an account
FrameworkNIST 800-53 Revision 4
Severity
Medium

Rule Description:

At least one multi-region AWS CloudTrail should be present in an account to comply with the NIST 800-53 Revision 4 standard. This rule ensures that logs generated by AWS CloudTrail, a service that records API activity in your AWS account, are stored in multiple regions to enhance security and resilience against regional failures or outages.

Troubleshooting Steps:

If there is no multi-region AWS CloudTrail present in the account, follow these troubleshooting steps to rectify the issue:

  2. 1.

    Check if an AWS CloudTrail exists: Run the AWS CLI command below to list all existing AWS CloudTrail trails in your account:

    aws cloudtrail describe-trails

    Ensure that the output lists at least one trail.

  4. 2.

    Check the trail's settings: Retrieve the details of the trail using the following command:

    aws cloudtrail get-trail --name <trail-name>

    Verify that the 

    IsMultiRegionTrail
    parameter is set to 
    true
    in the output.

  6. 3.

    Create a new multi-region AWS CloudTrail: If no multi-region trail exists, create one by following these steps:

    a. Create a new S3 bucket:

    aws s3api create-bucket --bucket <bucket-name> --region <region>

    Replace 

    <bucket-name>
    with your desired bucket name and 
    <region>
    with the desired region for the bucket.

    b. Create the AWS CloudTrail trail:

    aws cloudtrail create-trail --name <trail-name> --s3-bucket-name <bucket-name> --is-multi-region-trail

    Replace 

    <trail-name>
    with a suitable name for your trail and 
    <bucket-name>
    with the name of the S3 bucket you created.

    c. Start the trail:

    aws cloudtrail start-logging --name <trail-name>

    The trail will now be active and will start recording API activity.

Remediation Steps:

To remediate the issue and ensure compliance with the NIST 800-53 Revision 4 standard, follow these steps:

  2. 1.

    Create a new S3 bucket:

    aws s3api create-bucket --bucket <bucket-name> --region <region>

    Replace 

    <bucket-name>
    with your desired bucket name and 
    <region>
    with the desired region for the bucket.

  4. 2.

    Create an AWS CloudTrail trail:

    aws cloudtrail create-trail --name <trail-name> --s3-bucket-name <bucket-name> --is-multi-region-trail

    Replace 

    <trail-name>
    with a suitable name for your trail and 
    <bucket-name>
    with the name of the S3 bucket you created.

  6. 3.

    Start the trail:

    aws cloudtrail start-logging --name <trail-name>

    The trail will now be active and will start recording API activity in multiple regions.

  8. 4.

    Enable log file validation (optional):

    aws cloudtrail update-trail --name <trail-name> --enable-log-file-validation

    This step ensures the integrity of log files by enabling log file validation.

Note: Repeat the above steps for each AWS account within the organization, if applicable.

By following the above steps, you will have successfully remediated the issue of not having at least one multi-region AWS CloudTrail in the account, meeting the requirements of the NIST 800-53 Revision 4 standard.

Is your System Free of Underlying Vulnerabilities?
Find Out Now