Cloudtrail integrated cloudwatch remediation

Using Console

Using CLI

To remediate the misconfiguration “CloudTrail Events Should Be Monitored By CloudWatch Logs” for AWS using AWS CLI, follow these steps:

Open the AWS CLI on your local machine or EC2 instance.
Run the following command to create a new CloudWatch Logs group:
```
aws logs create-log-group --log-group-name my-log-group-name
```
Replace my-log-group-name with the name you want to give to your CloudWatch Logs group.
Run the following command to create a new CloudWatch Logs stream:
```
aws logs create-log-stream --log-group-name my-log-group-name --log-stream-name my-log-stream-name
```
Replace my-log-group-name with the name of the CloudWatch Logs group you created in step 2, and replace my-log-stream-name with the name you want to give to your CloudWatch Logs stream.
Run the following command to enable CloudTrail log file validation:
```
aws cloudtrail update-trail --name my-trail-name --enable-log-file-validation
```
Replace my-trail-name with the name of the CloudTrail trail you want to enable log file validation for.
Run the following command to configure CloudTrail to send events to your CloudWatch Logs group:
```
aws cloudtrail update-trail --name my-trail-name --cloud-watch-logs-log-group-arn arn:aws:logs:us-east-1:123456789012:log-group:my-log-group-name --cloud-watch-logs-role-arn arn:aws:iam::123456789012:role/my-cloudtrail-role
```
Replace my-trail-name with the name of the CloudTrail trail you want to configure, replace arn:aws:logs:us-east-1:123456789012:log-group:my-log-group-name with the ARN of the CloudWatch Logs group you created in step 2, and replace arn:aws:iam::123456789012:role/my-cloudtrail-role with the ARN of the IAM role you want to use for CloudTrail. Note: You need to have the required permissions to create CloudWatch Logs group, stream and IAM role.
Verify that CloudTrail events are being sent to your CloudWatch Logs group by checking the logs in the CloudWatch Logs console. Congratulations! You have successfully remediated the misconfiguration “CloudTrail Events Should Be Monitored By CloudWatch Logs” for AWS using AWS CLI.

Using Python

To remediate this misconfiguration in AWS, you can use the following steps in Python:

Import the necessary modules:

import boto3

Create a CloudWatch Logs client:

cloudwatch_logs = boto3.client('logs')

Get a list of all the existing CloudTrail logs:

cloudtrail_logs = boto3.client('cloudtrail')
logs = cloudtrail_logs.describe_trails()

For each CloudTrail log, check if it is already being monitored by CloudWatch Logs:

for log in logs['trailList']:
    log_name = log['Name']
    response = cloudwatch_logs.describe_log_groups(logGroupNamePrefix=log_name)
    if not response['logGroups']:
        # Create a new log group for the CloudTrail log
        cloudwatch_logs.create_log_group(logGroupName=log_name)
    # Create a CloudWatch Logs subscription filter for the CloudTrail log
    cloudwatch_logs.put_subscription_filter(
        logGroupName=log_name,
        filterName='CloudTrailFilter',
        filterPattern='',
        destinationArn=''
    )

Replace the destinationArn parameter with the ARN of the CloudWatch Logs destination you want to use.
Save the Python script and run it to remediate the misconfiguration.

This script will create a new CloudWatch Logs log group for each CloudTrail log that is not already being monitored, and then create a CloudWatch Logs subscription filter for that log group. This will ensure that all CloudTrail events are monitored by CloudWatch Logs.

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

Cloudtrail integrated cloudwatch remediation

Triage and Remediation

Remediation