Rule: At Least One Multi-Region AWS CloudTrail Requirement
This rule requires at least one multi-region AWS CloudTrail to be present in an account.
| Rule | At least one multi-region AWS CloudTrail should be present in an account |
| Framework | NIST 800-53 Revision 5 |
| Severity | ✔ Medium |
Rule Description:
The NIST 800-53 Revision 5 requires the presence of at least one multi-region AWS CloudTrail in each AWS account. AWS CloudTrail is a service that provides detailed monitoring and auditing of account activity by recording AWS API calls and related events. It helps in enhancing security, troubleshooting, and compliance by providing a history of API calls made within the AWS infrastructure.
Troubleshooting Steps:
If you find that no multi-region AWS CloudTrail is present in your AWS account, follow these troubleshooting steps to rectify the issue:
- 1.Verify if any AWS CloudTrail is already configured in the account by navigating to the AWS Management Console and selecting the CloudTrail service.
- 2.Check if there is an existing CloudTrail trail available and if it covers multiple AWS regions.
- 3.If no existing multi-region CloudTrail is found, proceed with the remediation steps mentioned below.
Remediation Steps:
To remediate the issue, follow the steps below to create a multi-region AWS CloudTrail in your AWS account:
- 1.Log in to the AWS Management Console.
- 2.Navigate to the CloudTrail service.
- 3.Click on "Create trail" to start configuring a new CloudTrail trail.
- 4.Provide a name for the trail that represents its purpose (e.g., "Multi-Region-CloudTrail").
- 5.Select the option to apply the trail to all regions.
- 6.Choose a storage location for the CloudTrail logs. It is recommended to use Amazon S3 as the storage provider.
- 7.Configure the necessary options such as log file encryption, log file integrity validation, and CloudWatch Logs integration based on your requirements and policies.
- 8.Enable "Data events" if you require additional monitoring of S3 object-level activity or AWS Lambda function invocations.
- 9.Add any specific S3 buckets or Lambda functions that you want to monitor under "Data events."
- 10.Configure any additional advanced settings like tagging and log file validation settings.
- 11.Review the configuration and click on "Create trail" to create the multi-region CloudTrail.
Verification:
To verify if the multi-region AWS CloudTrail has been successfully created, follow these steps:
- 1.Go to the AWS Management Console.
- 2.Navigate to the CloudTrail service.
- 3.Look for the newly created trail in the list of trails available.
- 4.Check if the trail is enabled and covers all the required regions.
- 5.Confirm that the CloudTrail logs are being delivered to the specified storage location (e.g., Amazon S3 bucket).
- 6.Validate that the CloudTrail is capturing the necessary data events, if enabled.
Ensure that the created CloudTrail adheres to the NIST 800-53 Revision 5 policy and is actively recording AWS API calls across multiple regions to ensure compliance and monitoring capabilities.
Additional Notes:
It is advisable to regularly monitor and review the CloudTrail logs to ensure they are capturing all the required activities and to detect any potential security issues or policy violations. Consider setting up CloudWatch Alarms to notify you of any critical events or unexpected changes detected in the CloudTrail logs.
Ensure that appropriate permissions and access control are applied to the CloudTrail trail to prevent unauthorized modifications or tampering of the logging configuration.
By adhering to the NIST 800-53 Revision 5 policy and maintaining a multi-region AWS CloudTrail, you can enhance the security and compliance posture of your AWS account while having detailed auditing and monitoring capabilities for your AWS infrastructure.