lacework-global-55
3.4 Integrate CloudTrail trails with CloudWatch Logs (Automated)
Profile Applicability
• Level 1
Description
AWS CloudTrail is a web service that records AWS API calls made in a given AWS account. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. CloudTrail uses Amazon S3 for durable log file storage and delivery. In addition to capturing CloudTrail logs within a specified S3 bucket for long term analysis, configuring CloudTrail to send logs to CloudWatch Logs allows for real-time analysis. For a trail enabled in all regions in an account, CloudTrail sends log files from all those regions to a CloudWatch Logs log group. Best practices recommend sending CloudTrail logs to CloudWatch Logs.
The intent of this recommendation is to capture, monitor and appropriately alarm on AWS account activity. CloudWatch Logs is a native way to accomplish this using AWS services but does not preclude the use of an alternate solution.
Rationale
Sending CloudTrail logs to CloudWatch Logs will facilitate real-time and historic activity logging based on user, API, resource, and IP address, and provides opportunity to establish alarms and notifications for anomalous or sensitivity account activity.
Impact
By default, CloudWatch Logs will store Logs indefinitely unless a specific retention period is defined for the log group. When choosing the number of days to retain, keep in mind the average days it takes an organization to realize they have been breached is 210 days (at the time of this writing). Since additional time is required to research a breach, a minimum 365 day retention policy allows time for detection and research. You may also wish to archive the logs to a cheaper storage service rather than simply deleting them. See the following AWS resource to manage CloudWatch Logs retention periods:
https://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/SettingLogRetention.html
Audit
Perform the following to ensure CloudTrail is configured as prescribed:
From Console
- Login to the CloudTrail console at
https://console.aws.amazon.com/cloudtrail/ - Under
Trails, click on the CloudTrail you wish to evaluate - Under the
CloudWatch Logssection. - Ensure a
CloudWatch Logslog group is configured and listed. - Under
General detailsconfirmLast log file deliveredhas a recent (~one day old) timestamp.
From Command Line
- Run the following command to get a listing of existing trails:
aws cloudtrail describe-trails
- Ensure
CloudWatchLogsLogGroupArnis not empty and note the value of theNameproperty. - Using the noted value of the
Nameproperty, run the following command:
aws cloudtrail get-trail-status --name <trail_name>
- Ensure the
LatestcloudwatchLogdDeliveryTimeproperty is set to a recent (~one day old) timestamp.
If the CloudWatch Logs log group is not setup and the delivery time is not recent refer to the remediation below.
Remediation
Perform the following to establish the prescribed state:
From Console
- Login to the CloudTrail console at
https://console.aws.amazon.com/cloudtrail/. - Select the
Trailto update. - Scroll down to
CloudWatch Logs. - Click
Edit. - Under
CloudWatch Logsclick the boxEnabled. - Under
Log Grouppick new or select an existing log group. - Edit the
Log group nameto match the CloudTrail or pick the existing CloudWatch Group. - Under
Identity and Access Management (IAM) Rolepick new or select an existing. - Edit the
Role nameto match the CloudTrail or pick the existing IAM Role. - Click
Save changes.
From Command Line
aws cloudtrail update-trail --name <trail_name> --cloudwatch-logs-log-group-arn <cloudtrail_log_group_arn> --cloudwatch-logs-role-arn <cloudtrail_cloudwatchLogs_role_arn>
References
https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-user-guide.html
https://docs.aws.amazon.com/awscloudtrail/latest/userguide/how-cloudtrail-works.html
https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-aws-service-specific-topics.html