Rule: At Least One Enabled Trail Presence in a Region

This rule states that at least one enabled trail should be present in a particular region.

Rule	At least one enabled trail should be present in a region
Framework	NIST 800-53 Revision 5
Severity	✔ Low

Rule Description

At least one enabled trail should be present in a region for NIST 800-53 Revision 5. This rule ensures that there is an operational CloudTrail service in each region to monitor and record API activity and account changes made within the AWS environment. The CloudTrail service provides essential information for security analysis, auditing, and troubleshooting.

Troubleshooting Steps

If there is no enabled trail in a region, follow these steps to troubleshoot the issue:

1.
Verify CloudTrail configuration: Ensure that the CloudTrail service is enabled for the AWS account in the desired region.

2.
Check trail status: Review the status of the existing trails in the region. If there are any disabled trails, re-enable them.

3.
Check trail logging: Confirm that the trails are actively logging events. If logging is paused or not functioning properly, investigate the underlying cause and resolve it.

4.
Validate IAM permissions: Verify that the IAM role associated with the trail has sufficient permissions to write logs to Amazon S3 or other target destinations.

5.
Review CloudTrail limits: Ensure that the account has not reached the CloudTrail limits for the number of trails or other resource constraints.

6.
Check CloudTrail service health: Check the AWS Service Health Dashboard to ensure that there are no ongoing issues with the CloudTrail service in the region.

7.
Review region availability: Ensure that the region is enabled and available for use in the AWS account. Some regions may have specific limitations or restrictions.

Code Samples

AWS CLI Command

To list all CloudTrail trails in a specific region, you can use the following AWS CLI command:

aws cloudtrail describe-trails --region <region-name>

AWS CloudFormation Template

To create a new CloudTrail trail in a specific region using AWS CloudFormation, you can use the following sample template:

Resources:
  MyCloudTrail:
    Type: "AWS::CloudTrail::Trail"
    Properties:
      TrailName: "MyTrail"
      S3BucketName: "my-bucket-name"
      IsMultiRegionTrail: true
      EnableLogFileValidation: true
      IncludeGlobalServiceEvents: true

Make sure to replace "MyTrail" with your desired trail name and "my-bucket-name" with the name of the S3 bucket where you want to store the logs.

Remediation Steps

To ensure compliance with the rule and remediate any violations, follow these steps:

1.
Identify the region(s) where no enabled trail is present.

2.
Create a new CloudTrail trail in the region(s) using the AWS Management Console, CLI, or CloudFormation.

3.
Configure the trail settings according to your requirements, including the trail name, storage destination, log file validation, and whether to include global service events.

4.
Enable the trail and verify that it starts logging events.

5.
Repeat these steps for each region that lacks an enabled trail.

By adhering to these steps, you will ensure that at least one enabled CloudTrail trail is present in each region, meeting the requirements of NIST 800-53 Revision 5.

Rule: At Least One Enabled Trail Presence in a Region

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}AWS CLI Command

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}AWS CloudFormation Template

Is your System Free of Underlying Vulnerabilities? Find Out Now

AWS CLI Command

AWS CloudFormation Template

Is your System Free of Underlying Vulnerabilities?
Find Out Now