Rule: At Least One Multi-Region AWS CloudTrail
This rule ensures at least one multi-region AWS CloudTrail is present in an account.
| Rule | At least one multi-region AWS CloudTrail should be present in an account |
| Framework | NIST 800-53 Revision 5 |
| Severity | ✔ Medium |
Rule Description:
To comply with the NIST 800-53 Revision 5 security standard, at least one multi-region AWS CloudTrail should be configured in the AWS account. CloudTrail provides logging and monitoring capabilities for AWS resources, enabling you to enhance the security of your infrastructure.
Remediation:
Follow the steps below to configure a multi-region AWS CloudTrail in your account:
- 1.
Step 1: Open the AWS Management Console
- Open the AWS Management Console in your web browser and sign in to your AWS account.
- 2.
Step 2: Navigate to CloudTrail
- Go to the AWS service menu and search for the "CloudTrail" service. Click on it to proceed.
- 3.
Step 3: Create a new Trail
- Click on the "Trails" option in the left sidebar.
- Click on the "Create trail" button.
- 4.
Step 4: Provide Trail details
- Choose a meaningful name for your trail in the "Trail name" field.
- Select the appropriate "Apply trail to all regions" option.
- Enable "Multi-Region" by selecting the checkbox.
- Optionally, you can specify a S3 bucket to store the CloudTrail logs in the "S3 bucket" field. If no bucket is specified, CloudTrail will create one for you.
- 5.
Step 5: Configure trail settings
- In this section, you can configure additional settings such as log file encryption, log file validation, and CloudWatch Logs integration. Adjust these settings based on your requirements.
- 6.
Step 6: Enable CloudTrail Insights
- Consider enabling CloudTrail Insights to detect unusual activity in your AWS account. This adds an extra layer of security.
- 7.
Step 7: Review and create the trail
- Review the trail configuration and ensure it aligns with your requirements.
- Click on the "Create" button to create the new CloudTrail.
- 8.
Step 8: Validate the configuration
- Once the trail is created, wait for a few minutes to ensure it is active.
- Verify that the CloudTrail is logging events from all the regions specified.
Troubleshooting Steps (if CloudTrail not logging events):
If you encounter issues with your CloudTrail not logging events, follow these troubleshooting steps:
- 1.
Verify CloudTrail configuration
- Double-check that the CloudTrail trail is correctly configured with the multi-region option enabled and the appropriate S3 bucket specified.
- 2.
Ensure CloudTrail is active
- Ensure that the CloudTrail trail is in the "active" state. If not, edit the trail and enable it.
- 3.
Check IAM permissions
- Verify that the AWS Identity and Access Management (IAM) user or role associated with the CloudTrail trail has the necessary permissions to write logs to the S3 bucket.
- 4.
Review CloudTrail logs
- Examine the CloudTrail logs to check for any error messages that might indicate issues with log delivery or processing.
- 5.
Contact AWS Support
- If all else fails, consider contacting AWS Support for further assistance in troubleshooting the CloudTrail logging issue.
Remember, it is essential to regularly monitor your CloudTrail logs to identify and respond to any security-related events or anomalies in your AWS account.