Rule: At Least One Enabled Trail Presence
Ensure at least one enabled trail is present in a region for system and information integrity.
| Rule | At least one enabled trail should be present in a region |
| Framework | NIST 800-53 Revision 5 |
| Severity | ✔ Low |
Rule Description:
This rule requires that at least one enabled trail is present in a region for compliance with NIST 800-53 Revision 5. The rule aims to ensure that logging and monitoring capabilities are established to track and investigate security-related events within an organization's infrastructure.
Rule Troubleshooting:
If there are no enabled trails in a region, it indicates that the logging and monitoring configuration is not in compliance with NIST 800-53 Revision 5. Here are the troubleshooting steps to address this issue:
- 1.
Verify AWS CloudTrail service configuration:
- Check if CloudTrail is properly enabled in the selected region.
- Ensure that the correct trails have been created.
- 2.
Check trail status:
- Verify if the trail(s) associated with the region are in an enabled state.
- If a trail is disabled, enable it using the appropriate AWS CLI commands.
- 3.
Validate logging settings:
- Check if the required logs (e.g., Management events, Data events, etc.) are properly configured for the enabled trails.
- Adjust the logging settings if necessary.
- 4.
Review permissions and IAM roles:
- Ensure that the IAM roles associated with CloudTrail trails have sufficient permissions to create and write logs.
- Verify if the required permissions are correctly assigned to the roles using AWS IAM console or AWS CLI commands.
Remediation:
Follow these step-by-step instructions to remediate the issue and ensure compliance with the rule:
- 1.Login to the AWS Management Console.
- 2.Navigate to the AWS CloudTrail service.
- 3.Select the region where an enabled trail needs to be present for compliance with NIST 800-53 Revision 5.
- 4.Verify if there are any trails listed for the selected region.
- 5.If no trails are listed, create a new trail by clicking the "Create trail" button.
- 6.Configure the trail settings, including the trail name, storage location, log encryption, and event settings.
- 7.Enable the trail by making sure the checkbox for "Enable this trail" is selected.
- 8.Choose the appropriate options for log file validation, CloudWatch Logs delivery, and CloudWatch Logs encryption.
- 9.Set the values for adding tags, if required.
- 10.Review the configuration and click on the "Create" button to create the trail.
- 11.Validate that the newly created trail is listed and marked as enabled in the selected region.
- 12.Ensure that proper logging settings are in place to capture the required events, e.g., management and data events.
- 13.Review and adjust IAM roles, if necessary, to ensure they have the correct permissions for CloudTrail activities.
- 14.Test the trail by performing sample actions that should generate logs, and verify if they are being captured.
- 15.Repeat the above steps for other regions to ensure there is at least one enabled trail in each region.
AWS CLI Commands:
If you prefer using the AWS Command Line Interface (CLI) for remediation, here are the corresponding commands:
- 1.Create a new trail:
aws cloudtrail create-trail --name <trail-name> --s3-bucket-name <bucket-name> --region <region> --is-multi-region-trail --include-global-service-events --enable-log-file-validation --enable-cloudwatch-logs-exports ReadOnly,WriteOnly,DataEvents
- 1.Enable an existing trail:
aws cloudtrail update-trail --name <trail-name> --region <region> --is-multi-region-trail --include-global-service-events --enable-log-file-validation --enable-cloudwatch-logs-exports ReadOnly,WriteOnly,DataEvents
Ensure to replace
<trail-name><bucket-name><region>Note: Make sure you have the necessary permissions to execute these commands.
By following the above troubleshooting steps and using the provided AWS CLI commands, you can ensure compliance with the requirement of having at least one enabled trail in a region for NIST 800-53 Revision 5.