Rule: CloudTrail trails should be integrated with CloudWatch logs
This rule ensures CloudTrail trails are integrated with CloudWatch logs.
| Rule | CloudTrail trails should be integrated with CloudWatch logs |
| Framework | SOC 2 |
| Severity | ✔ Critical |
Rule Description:
This rule ensures that CloudTrail trails are integrated with CloudWatch logs for SOC 2 compliance. CloudTrail is a service that records AWS API calls and provides valuable insights into who made the request, when it was made, and what actions were performed. CloudWatch logs, on the other hand, is a scalable and highly available log management service provided by AWS. Integrating CloudTrail with CloudWatch logs allows for better visibility, monitoring, and analysis of CloudTrail logs, which is crucial for meeting SOC 2 compliance requirements.
Troubleshooting Steps:
If the integration between CloudTrail and CloudWatch logs is not working as expected, you can follow these troubleshooting steps:
- 1.
Verify CloudWatch Log Group Subscription:
- Go to the CloudWatch Logs console.
- Select the appropriate log group that should be subscribed to the CloudTrail logs.
- Check if the subscription filter for CloudTrail logs is present. If not, create a new subscription filter using the appropriate filter pattern.
- 2.
Check IAM Role Permissions:
- Ensure that the IAM role associated with the CloudTrail trail has the necessary permissions to write logs to the specified CloudWatch log group.
- To do this, go to the IAM console and locate the IAM role associated with the CloudTrail trail.
- Review the role's policies and ensure that it has the required permissions, specifically
andlogs:CreateLogStream
.logs:PutLogEvents
- 3.
Validate Trail Configuration:
- Go to the CloudTrail console.
- Find the trail that should be integrated with CloudWatch logs.
- Verify that the correct CloudWatch log group is selected under the "CloudWatch Logs" section.
- If the log group is incorrect or not selected, update the trail configuration to use the appropriate log group.
- 4.
Verify Trail Status:
- Check the status of the CloudTrail trail to ensure it is in an "Active" state.
- If the trail is not active, go to the trail settings and enable it.
- 5.
Review CloudWatch Log Group Size:
- In some cases, the CloudWatch log group associated with CloudTrail logs may reach the maximum allowed size, leading to potential logging issues.
- Go to the CloudWatch Logs console and check the size of the log group.
- If the log group is nearing its limit, consider archiving or deleting older log data to free up space.
Necessary Codes (If Applicable):
No specific codes are required for this rule. However, you may need to use the AWS Management Console or AWS CLI commands for troubleshooting and remediation steps mentioned above.
Remediation Steps:
To integrate CloudTrail trails with CloudWatch logs for SOC 2 compliance, follow these steps:
- 1.
AWS Management Console:
- Log in to the AWS Management Console.
- Go to the CloudTrail console.
- Select the desired CloudTrail trail that needs to be integrated with CloudWatch logs.
- Click on the "Edit" button.
- Under the "CloudWatch Logs" section, select the appropriate CloudWatch log group from the dropdown menu.
- Click "Save" to update the trail configuration.
- 2.
AWS CLI Command:
- Install and configure the AWS CLI (if not already).
- Open the terminal and use the following CLI command to update the trail configuration:
Replaceaws cloudtrail update-trail --name <trail-name> --cloud-watch-logs-log-group-arn <log-group-arn>
with the name of the CloudTrail trail and<trail-name>
with the ARN of the CloudWatch log group.<log-group-arn>
Following these steps will successfully integrate the CloudTrail trails with CloudWatch logs for SOC 2 compliance requirements. Remember to regularly monitor and review the CloudWatch logs to ensure proper functioning and adherence to compliance standards.