Profile Applicability: Level 1


Description:

AWS CloudTrail is a web service that records AWS API calls made in a given AWS account. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. CloudTrail uses Amazon S3 for log file storage and delivery, so log files are stored durably. In addition to capturing CloudTrail logs within a specified S3 bucket for long-term analysis, real-time analysis can be performed by configuring CloudTrail to send logs to CloudWatch Logs. For a trail that is enabled in all regions in an account, CloudTrail sends log files from all those regions to a CloudWatch Logs log group. It is recommended that CloudTrail logs be sent to CloudWatch Logs.


Rationale: 

Sending CloudTrail logs to CloudWatch Logs will facilitate real-time and historic activity logging based on user, API, resource, and IP address, and provides an opportunity to establish alarms and notifications for anomalous or sensitive account activity.


Impact:

CloudWatch integration enabled you will be able to manage better your AWS infrastructure. This enables you to respond quickly to critical operational events detected with CloudTrail events and captured by CloudWatch logs.


Default Value:

By default, CloudTrail trails are not integrated with CloudWatch.


Audit: 

Perform the following to ensure CloudTrail is configured as prescribed: Via the AWS Management Console 

  1. Sign in to the AWS Management Console

  2. open the CloudTrail console at https://console.aws.amazon.com/cloudtrail/

  3. Click Trails in the left menu

  4. Select the trail you want to examine

  5. Under the CloudWatch logs section check is there any log group mentioned

If there is no log group mentioned it means CloudTrail trail is not integrated with CloudWatch


Via CLI:

aws logs describe-log-groups

Remediation:

Pre-Requisite:

  1. Sign in as an admin or IAM user with the required permissions

  2. Need at least one log group

Implementation steps: 

  1. Sign in to the AWS Management Console

  2. open the CloudTrail console at https://console.aws.amazon.com/cloudtrail/

  3. Select the trail you want to modify

  4. Go to the Cloudwatch logs section and click on Edit

  5. Check the Enabled CheckBox

  6. Log group - You can use an existing group or else you can create a new group

  7. Configure IAM Role which will deliver CloudTrail events to CloudWatch Logs, Create/Select an IAM Role and Policy Name 

  8. Click on save changes


Backout Plan:

To disable follow the same steps in the implementation section and uncheck the Cloudwatch logs checkBox.


Via CLI:

aws cloudtrail update-trail
  --name MyCloudTrail
  --cloud-watch-logs-log-group-arn
  arn:aws:logs:us-east-1:123456789012:log-group:CloudTrail/MyCloudTrailLG:*
  --cloud-watch-logs-role-arn
  arn:aws:iam::123456789012:role/CloudTrail_CloudWatchLogs_Role


References: 

https://aws.amazon.com/cloudtrail/ 

https://docs.aws.amazon.com/awscloudtrail/latest/userguide/send-cloudtrail-events-to-cloudwatch-logs.html 


CIS Controls:

6.2 Activate audit logging 

    Ensure that local logging has been enabled on all systems and networking devices. 

6.5 Central Log Management 

    Ensure that appropriate logs are being aggregated to a central log management system for analysis and review.