Profile Applicability: Level 1


Description:

AWS CloudTrail is a web service that records AWS API calls made in a given AWS account. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. CloudTrail uses Amazon S3 for log file storage and delivery, so log files are stored durably. In addition to capturing CloudTrail logs within a specified S3 bucket for long-term analysis, real-time analysis can be performed by configuring CloudTrail to send logs to CloudWatch Logs. For a trail that is enabled in all regions in an account, CloudTrail sends log files from all those regions to a CloudWatch Logs log group. It is recommended that CloudTrail logs be sent to CloudWatch Logs.


Rationale: 

Sending CloudTrail logs to CloudWatch Logs will facilitate real-time and historic activity logging based on user, API, resource, and IP address, and provides an opportunity to establish alarms and notifications for anomalous or sensitive account activity.


Impact:

CloudWatch integration enabled you will be able to manage better your AWS infrastructure. This enables you to respond quickly to critical operational events detected with CloudTrail events and captured by CloudWatch logs.


Default Value:

By default, CloudTrail trails are not integrated with CloudWatch.


Pre-Requisite:

  1. Sign in as an admin or IAM user with the required permissions

  2. Need at least one log group


Remediation:


Test Plan: 

  1. Sign in to the AWS Management Console

  2. Open the CloudTrail console at https://console.aws.amazon.com/cloudtrail/

  3. Click Trails in the left menu

  4. Select the trail you want to examine

  5. Under the CloudWatch logs section check if there any log group mentioned

If there is no log group mentioned it means CloudTrail trail is not integrated with CloudWatch


Using AWS CLI:

Run the describe command  using  the Amazon CloudTrail name you want to test as the ID parameter and a custom query filter to describe the ARN of the CloudWatch Log log group associated with trail:

aws cloudtrail describe-trails --region us-east-1 --trail-name-list management-events --query "trailList[*].CloudWatchLogsLogGroupArn"

If this command returns and empty array that means the trail which you have selected is not integrated with Cloudwatch

Implementation steps: 

  1. Sign in to the AWS Management Console

  2. Open the CloudTrail console at https://console.aws.amazon.com/cloudtrail/

  3. Select the trail you want to modify

  4. Go to the Cloudwatch logs section and click on Edit

  5. Check the Enabled CheckBox

  6. Log group - You can use an existing group or else you can create a new group

  7. Configure IAM Role which will deliver CloudTrail events to CloudWatch Logs, Create/Select an IAM Role and Policy Name 

  8. Click on save changes


Using AWS CLI:

aws cloudtrail update-trail
  --name MyCloudTrail
  --cloud-watch-logs-log-group-arn
  arn:aws:logs:us-east-1:123456789012:log-group:CloudTrail/MyCloudTrailLG:*
  --cloud-watch-logs-role-arn
  arn:aws:iam::123456789012:role/CloudTrail_CloudWatchLogs_Role


Backout Plan:

To disable follow the same steps in the implementation section and uncheck the Cloudwatch logs checkBox.


Using AWS CLI:

References: 

https://aws.amazon.com/cloudtrail/ 

https://docs.aws.amazon.com/awscloudtrail/latest/userguide/send-cloudtrail-events-to-cloudwatch-logs.html 


CIS Controls:

6.2 Activate audit logging 

    Ensure that local logging has been enabled on all systems and networking devices. 

6.5 Central Log Management 

    Ensure that appropriate logs are being aggregated to a central log management system for analysis and review.