Profile Applicability:

  • Level 1


Description:
This control ensures that AWS CloudTrail trails are integrated with Amazon CloudWatch Logs to enable near real-time monitoring and alerting of account activity. Integration allows log events to be continuously sent from CloudTrail to CloudWatch Logs, where metric filters, dashboards, and alarms can be configured to detect and respond to security-related events promptly.


Rationale:
Integrating CloudTrail with CloudWatch Logs enhances security visibility and incident response capabilities. It allows security teams to create metric filters for detecting suspicious or unauthorized activity, such as IAM policy changes, failed login attempts, or root account usage. Without this integration, CloudTrail logs are only available in S3, making it difficult to monitor events in real time.


Impact:
Positive Impact: Provides real-time visibility into AWS account activity, improves incident detection, and accelerates response times.
Negative Impact: Slight increase in CloudWatch costs for metric storage and alarms.


Default Value:
By default, CloudTrail is not integrated with CloudWatch Logs. Manual configuration is required to enable integration.


Pre-Requisite:

  • AWS CloudTrail must be enabled and configured.
  • A CloudWatch Logs group must exist or be created for CloudTrail log delivery.
  • IAM role with the following permissions must be available and attached to CloudTrail:
    • logs:CreateLogStream
    • logs:PutLogEvents
    • logs:DescribeLogGroups
    • logs:DescribeLogStreams


Remediation

Test Plan

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to CloudTrail → Trails.

  3. Select the existing trail.

  4. Under General details, locate the CloudWatch Logs section.

  5. Verify that a Log group name and IAM role are configured.

  6. If the log group or role is missing, CloudTrail is not integrated with CloudWatch Logs and is non-compliant.


Implementation Plan

Using AWS Console:

  1. Navigate to the AWS CloudTrail Console.
  2. Select Trails → [Your Trail Name].
  3. In the General details section, click Edit.
  4. Under CloudWatch Logs, select Enabled.
  5. Choose an existing Log group, or create a new one (e.g., /aws/cloudtrail/logs).
  6. Assign an IAM role with permissions to publish events to CloudWatch Logs.
    • The role should include policies for logs:CreateLogStream and logs:PutLogEvents.
  7. Click Save changes.
  8. Verify that the trail’s status shows as Active and the CloudWatch Logs integration is displayed.


Backout Plan

Using AWS Console:

  1. Go to the AWS CloudTrail Console → Trails.
  2. Select the trail with CloudWatch Logs integration.
  3. Click Edit.
  4. Under CloudWatch Logs, select Disable.
  5. Click Save changes to stop sending CloudTrail logs to CloudWatch Logs.


References: