Ensure Presence of Multi-Region AWS CloudTrail - Rule
This rule requires at least one multi-region AWS CloudTrail to be present in an account for enhanced security and monitoring.
| Rule | At least one multi-region AWS CloudTrail should be present in an account |
| Framework | SOC 2 |
| Severity | ✔ Medium |
Rule Description:
According to the SOC 2 compliance requirements, it is mandatory to have at least one multi-region AWS CloudTrail within an AWS account. CloudTrail provides a detailed history of AWS API calls made in your account, including the source IP address, accessed resources, and related information. Having a multi-region CloudTrail helps ensure better visibility and monitoring of account activities while minimizing the risk of data loss or compromise.
Remediation Steps:
To comply with the SOC 2 requirement, follow the steps below to set up a multi-region AWS CloudTrail:
1. Log in to the AWS Management Console:
- Go to the AWS Management Console and sign in to your AWS account.
2. Open the CloudTrail service:
- In the AWS Management Console, navigate to the CloudTrail service.
3. Create a new CloudTrail trail:
- Click on the Create trail button to start creating a new CloudTrail trail.
4. Trail settings:
- Specify a Trail name that is descriptive and meaningful.
- Choose the Apply trail to all regions option to enable multi-region support.
- Enable Create a new S3 bucket or select an existing bucket to store the CloudTrail logs.
5. Data events and management events:
- Select the appropriate Read/Write events or Management events for capturing the required API activity.
- Enable CloudWatch Logs if you want to receive real-time notifications and monitor the trail.
6. Storage location and encryption:
- Configure the S3 bucket where the CloudTrail logs will be stored.
- Optionally enable AWS Key Management Service (KMS) encryption for enhanced security.
7. Enable advanced settings (optional):
- Configure any advanced settings based on your specific requirements (e.g., log file validation, event selectors, etc.).
8. Review and create the trail:
- Review all the settings, and if everything looks correct, click on Create to create the new CloudTrail trail.
Troubleshooting Steps:
If you encounter any issues during the setup process, consider the following troubleshooting steps:
- 1.
IAM Permissions: Ensure that the IAM user or role you are using to create the trail has the necessary permissions, such as
and permission to access the chosen S3 bucket.cloudtrail:CreateTrail - 2.
S3 Bucket Permissions: Check if the IAM user/role has appropriate permissions for accessing and writing data to the S3 bucket where the logs will be stored.
- 3.
S3 Bucket Availability: Ensure that the selected S3 bucket is in the same region as the CloudTrail trail to enable multi-region logging.
- 4.
Bucket Name Availability: Verify that the chosen S3 bucket name is unique and not already used by another account in the same AWS region.
- 5.
CloudTrail Service Limit: If you are unable to create a trail, check if you have reached the maximum limit of CloudTrail trails allowed for your AWS account.
- 6.
CloudTrail Log Delivery: Verify if the CloudTrail logs are being delivered to the specified S3 bucket by checking the S3 bucket and the CloudTrail trail status.
Additional Notes:
- It's recommended to enable CloudTrail in all regions to ensure complete visibility into account activities.
- Regularly review and analyze CloudTrail logs to identify any suspicious or unauthorized activities within your AWS account.
- Consider integrating CloudTrail with AWS services like AWS CloudWatch, AWS EventBridge, or a third-party monitoring and analysis tool for advanced threat detection and security automation.
- Document and maintain an up-to-date CloudTrail configuration for auditing and compliance purposes.