Rule: At least one enabled trail should be present in a region
This rule ensures the presence of at least one enabled trail in a region for compliance.
| Rule | At least one enabled trail should be present in a region |
| Framework | NIST Cybersecurity Framework (CSF) v1.1 |
| Severity | ✔ Low |
Rule Description
The rule states that at least one enabled trail should be present in a specific region for NIST Cybersecurity Framework (CSF) v1. This rule ensures that proper logging and monitoring mechanisms are in place to meet the requirements set by the NIST CSF v1.
Troubleshooting Steps
If you encounter issues with this rule, follow these troubleshooting steps:
- 1.Verify existing trails: Check if there are any existing trails in the region specified.
- 2.Trail status: Ensure that the existing trails are enabled. If not, enable them.
- 3.Create new trail: If no enabled trail exists, create a new one and enable it.
- 4.Verify region: Ensure that the trails are present and enabled in the correct region specified by the rule.
Necessary Codes
There are no specific codes provided for this rule. However, you can use the following code samples for creating and enabling a trail in AWS CloudTrail:
AWS CLI Command
To create a trail:
aws cloudtrail create-trail --name MyTrail --s3-bucket-name my-bucket \ --is-multi-region-trail --include-global-service-events
To enable a trail:
aws cloudtrail update-trail --name MyTrail --is-multi-region-trail
AWS CloudFormation Template
To create a trail using CloudFormation, you can use the following template snippet:
Resources:
MyTrail:
Type: AWS::CloudTrail::Trail
Properties:
IsMultiRegionTrail: true
IncludeGlobalServiceEvents: true
S3BucketName: my-bucket
Note: Replace
my-bucketStep-by-Step Guide for Remediation
Follow these steps to ensure compliance with the rule:
- 1.Step 1: Log in to the AWS Management Console.
- 2.Step 2: Navigate to the CloudTrail service.
- 3.Step 3: Check if there are any existing trails in the specified region.
- 4.Step 4: If there are no enabled trails, proceed to create a new one.
- Click on "Trails" in the left navigation panel.
- Click on "Create trail".
- Provide a name for the trail (e.g., MyTrail).
- Choose an S3 bucket to store the logs (ensure the bucket exists).
- Enable multi-region trail if required.
- Enable the option to include global service events if required.
- Click on "Create".
- 5.Step 5: If any existing trails are disabled, proceed to enable them.
- Select the trail from the list.
- Click on "Edit".
- Enable the trail if it's disabled.
- Optionally, make any other desired changes.
- Click on "Save".
- 6.Step 6: Verify the region of the trails.
- Ensure that the trails are present and enabled in the correct region specified by the rule.
- If needed, create or enable trails in other regions to fulfill the requirement.
- 7.Step 7: Validate compliance by checking if at least one enabled trail is present in the specified region for NIST CSF v1.
By following these steps, you can ensure compliance with the rule and meet the logging and monitoring requirements specified by the NIST CSF v1.