Rule: CloudTrail trails should be integrated with CloudWatch logs
This rule ensures integration of CloudTrail trails with CloudWatch logs.
| Rule | CloudTrail trails should be integrated with CloudWatch logs |
| Framework | RBI Cyber Security Framework |
| Severity | ✔ Critical |
Rule/Policy Description:
The rule/policy states that CloudTrail trails should be integrated with CloudWatch logs to meet the requirements outlined in the RBI (Reserve Bank of India) Cyber Security Framework. This integration ensures the necessary monitoring and logging capabilities to identify and respond to potential security incidents within the cloud environment.
By integrating CloudTrail with CloudWatch logs, organizations can collect, consolidate, and analyze log data from multiple AWS services, including CloudTrail, in a centralized location for enhanced visibility and threat detection purposes.
Troubleshooting Steps:
While setting up the integration between CloudTrail and CloudWatch logs, you may encounter some common issues. Here are the troubleshooting steps to resolve them:
- 1.
Missing Permissions: Ensure that the IAM (Identity and Access Management) user or role used to create the CloudWatch Logs integration has the necessary permissions. Ensure that the IAM entity has the
andcloudwatch:CreateLogStream
permissions on the CloudWatch Logs group you are using.cloudwatch:PutLogEvents - 2.
Incorrect Log Group Configuration: Double-check the CloudWatch Logs group configuration to ensure it matches the intended setup. Pay attention to the log group name and region used during the configuration process.
- 3.
CloudTrail and CloudWatch Logs in Different Regions: Confirm that both CloudTrail and CloudWatch logs are configured in the same region. Cross-region integration is not supported for CloudTrail and CloudWatch logs.
- 4.
Disabled Trail Logging: Ensure that the CloudTrail trail is enabled for logging. If logging is disabled, no logs will be sent to CloudWatch.
Necessary Codes:
There are no specific codes provided in the rule/policy description. However, you may need to use AWS CLI (Command Line Interface) commands to configure CloudTrail and CloudWatch logs integration. The following commands can help you with the setup:
# Create a CloudWatch Logs group aws logs create-log-group --log-group-name <LogGroupName> # Create a CloudTrail trail and enable logging aws cloudtrail create-trail --name <TrailName> --s3-bucket-name <S3BucketName> --is-multi-region-trail --enable-log-file-validation --include-global-service-events # Update the trail to send logs to CloudWatch Logs aws cloudtrail update-trail --name <TrailName> --cloud-watch-logs-log-group-arn <LogGroupARN> --cloud-watch-logs-role-arn <LogRoleARN>
Make sure to replace
<LogGroupName><TrailName><S3BucketName><LogGroupARN><LogRoleARN>Step-by-Step Guide for Integration:
Follow the step-by-step guide below to integrate CloudTrail trails with CloudWatch logs:
- 1.
Create a CloudWatch Logs Group:
- Open the AWS Management Console and go to the CloudWatch service.
- Navigate to the "Logs" section in the left sidebar and click on "Log groups"
- Click on "Create log group" and provide a name for the log group. Remember this name for later configuration.
- Click on "Create" to create the log group.
- 2.
Create a CloudTrail Trail:
- Open the AWS Management Console and go to the CloudTrail service.
- Click on "Trails" in the left sidebar and then click on "Create trail".
- Provide a name for the trail and ensure the trail is created in the same region as your resources.
- Select the S3 bucket where you want to store the CloudTrail logs and enable log file integrity validation for enhanced security.
- Enable "Read/Write events" and "Management events" to capture relevant logs.
- Click on "Create" to create the trail.
- 3.
Update the Trail to Send Logs to CloudWatch Logs:
- Keep the CloudTrail trail selected and click on "Edit" in the top navigation bar.
- Expand the "CloudWatch Logs" section and select "Configure".
- Select the log group you created in step 1 from the dropdown menu.
- Specify an IAM role that allows CloudTrail to write logs to your CloudWatch log group.
- Click on "Save" to update the trail.
Once the configuration is completed, CloudTrail logs will be sent to the specified CloudWatch Logs group, enabling you to monitor and analyze the logs using CloudWatch features and capabilities.
Note: It's important to review and fine-tune the cloud logging configuration periodically to ensure the effectiveness of this security control.