Rule: CloudTrail trails should be integrated with CloudWatch logs
This rule ensures that CloudTrail trails are integrated with CloudWatch logs for heightened security and monitoring.
| Rule | CloudTrail trails should be integrated with CloudWatch logs |
| Framework | NIST 800-53 Revision 4 |
| Severity | ✔ Critical |
Rule Description:
CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS account. Integrating CloudTrail with CloudWatch Logs provides a centralized location for collecting, analyzing, and storing logs generated by CloudTrail. NIST 800-53 Revision 4 is a standard published by the National Institute of Standards and Technology, outlining security and privacy controls for federal information systems. This rule requires the integration of CloudTrail trails with CloudWatch Logs to align with the security guidelines provided in NIST 800-53 Revision 4.
Troubleshooting Steps:
If you encounter any issues while integrating CloudTrail trails with CloudWatch Logs, follow these troubleshooting steps:
- 1.
Verify IAM Permissions:
- Ensure that the IAM user or role used to configure CloudTrail has the necessary permissions to create CloudWatch Logs.
- Check if the user/role has the
andlogs:CreateLogGroup
permissions.logs:CreateLogStream
- 2.
Verify CloudTrail Configuration:
- Confirm if the CloudTrail trail is enabled and capturing logs.
- Check if the CloudTrail trail is correctly configured to deliver logs to CloudWatch.
- 3.
Verify CloudWatch Logs Configuration:
- Ensure that a CloudWatch Logs log group and log stream exist for storing the CloudTrail logs.
- Verify the correct log group and log stream names configured in the CloudTrail settings.
- 4.
Verify CloudTrail IAM Role:
- Check if the IAM role associated with the CloudTrail trail has permissions to write logs to CloudWatch Logs.
- Validate if the role has the
andlogs:PutLogEvents
permissions.logs:DescribeLogStreams
- 5.
Check CloudTrail and CloudWatch Logs Integration Status:
- In the CloudTrail console, validate that the integration status with CloudWatch Logs shows as "Enabled."
- 6.
Monitor CloudWatch Logs for Errors:
- Review CloudWatch Logs for any error messages related to the CloudTrail integration.
- Check for any log delivery issues or errors reported in the CloudWatch Logs console.
Necessary Codes:
No specific codes are required for this integration. However, IAM policies need to be modified to grant necessary permissions for CloudTrail to write logs to CloudWatch Logs.
Remediation Steps:
Follow the step-by-step guide below to integrate CloudTrail trails with CloudWatch Logs:
- 1.Login to the AWS Management Console.
- 2.Open the CloudTrail service.
- 3.Select the desired trail from the list of trails.
- 4.Click on the "Edit" button, or choose "Trails" from the sidebar menu and select "Edit selected trail".
- 5.In the "Event History" section, find the "Storage Location" option.
- 6.Under "Storage Location," select "Yes" for the option "Enable log file validation."
- 7.Check the box next to "Create a new CloudWatch Logs log group for this trail."
- 8.Enter a unique name for the log group in the "Log group name" field.
- 9.Optionally, you can also create a new log stream by checking the "Create a new CloudWatch Logs log stream for this trail" box and providing a log stream name.
- 10.Choose the appropriate "IAM role" for CloudTrail service.
- 11.Click on "Save" to apply the changes.
- 12.Verify that the CloudTrail trail's integration status with CloudWatch Logs shows as "Enabled" in the CloudTrail console.
By following the above steps, you will successfully integrate CloudTrail trails with CloudWatch Logs to comply with the NIST 800-53 Revision 4 standard.