AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
CloudTrail Events Should Be Monitored By CloudWatch Logs
More Info:
AWS CloudTrail events should be monitored with CloudWatch Logs for management and security purposes.
Risk Level
Low
Address
Security
Compliance Standards
CISAWS, CBP, HIPAA, SOC2, GDPR, NIST, AWSWAF, NISTCSF, PCIDSS, FedRAMP
Triage and Remediation
Remediation
To remediate the misconfiguration “CloudTrail Events Should Be Monitored By CloudWatch Logs” in AWS using the AWS console, follow these steps:
-
Open the AWS Management Console and navigate to the CloudTrail service.
-
Select the trail for which you want to enable CloudWatch Logs monitoring.
-
Click on the “Edit” button in the “CloudWatch Logs” section.
-
Select the option “Yes” for “Enable CloudWatch Logs”.
-
Choose a CloudWatch Logs log group to which you want to send the CloudTrail events.
-
Click on the “Save” button to save the changes.
-
Verify that the CloudWatch Logs integration is working by checking the log group for the CloudTrail events.
By following these steps, you will have successfully remediated the misconfiguration “CloudTrail Events Should Be Monitored By CloudWatch Logs” in AWS.
To remediate the misconfiguration “CloudTrail Events Should Be Monitored By CloudWatch Logs” for AWS using AWS CLI, follow these steps:
-
Open the AWS CLI on your local machine or EC2 instance.
-
Run the following command to create a new CloudWatch Logs group:
aws logs create-log-group --log-group-name my-log-group-nameReplace
my-log-group-namewith the name you want to give to your CloudWatch Logs group. -
Run the following command to create a new CloudWatch Logs stream:
aws logs create-log-stream --log-group-name my-log-group-name --log-stream-name my-log-stream-nameReplace
my-log-group-namewith the name of the CloudWatch Logs group you created in step 2, and replacemy-log-stream-namewith the name you want to give to your CloudWatch Logs stream. -
Run the following command to enable CloudTrail log file validation:
aws cloudtrail update-trail --name my-trail-name --enable-log-file-validationReplace
my-trail-namewith the name of the CloudTrail trail you want to enable log file validation for. -
Run the following command to configure CloudTrail to send events to your CloudWatch Logs group:
aws cloudtrail update-trail --name my-trail-name --cloud-watch-logs-log-group-arn arn:aws:logs:us-east-1:123456789012:log-group:my-log-group-name --cloud-watch-logs-role-arn arn:aws:iam::123456789012:role/my-cloudtrail-roleReplace
my-trail-namewith the name of the CloudTrail trail you want to configure, replacearn:aws:logs:us-east-1:123456789012:log-group:my-log-group-namewith the ARN of the CloudWatch Logs group you created in step 2, and replacearn:aws:iam::123456789012:role/my-cloudtrail-rolewith the ARN of the IAM role you want to use for CloudTrail.Note: You need to have the required permissions to create CloudWatch Logs group, stream and IAM role.
-
Verify that CloudTrail events are being sent to your CloudWatch Logs group by checking the logs in the CloudWatch Logs console.
Congratulations! You have successfully remediated the misconfiguration “CloudTrail Events Should Be Monitored By CloudWatch Logs” for AWS using AWS CLI.
To remediate this misconfiguration in AWS, you can use the following steps in Python:
- Import the necessary modules:
import boto3
- Create a CloudWatch Logs client:
cloudwatch_logs = boto3.client('logs')
- Get a list of all the existing CloudTrail logs:
cloudtrail_logs = boto3.client('cloudtrail')
logs = cloudtrail_logs.describe_trails()
- For each CloudTrail log, check if it is already being monitored by CloudWatch Logs:
for log in logs['trailList']:
log_name = log['Name']
response = cloudwatch_logs.describe_log_groups(logGroupNamePrefix=log_name)
if not response['logGroups']:
# Create a new log group for the CloudTrail log
cloudwatch_logs.create_log_group(logGroupName=log_name)
# Create a CloudWatch Logs subscription filter for the CloudTrail log
cloudwatch_logs.put_subscription_filter(
logGroupName=log_name,
filterName='CloudTrailFilter',
filterPattern='',
destinationArn=''
)
-
Replace the
destinationArnparameter with the ARN of the CloudWatch Logs destination you want to use. -
Save the Python script and run it to remediate the misconfiguration.
This script will create a new CloudWatch Logs log group for each CloudTrail log that is not already being monitored, and then create a CloudWatch Logs subscription filter for that log group. This will ensure that all CloudTrail events are monitored by CloudWatch Logs.