AWS Cloudtrail
      Back to home
      1. Knowledge Base
      2. AWS Knowledge Base
      3. AWS Cloudtrail

      CloudTrail CloudWatch Integration Disabled

      This plugin ensures that CloudTrail logs are delivered to CloudWatch in a timely manner

      Risk Level: MEDIUM

      Description:

      This plugin ensures that CloudTrail logs are delivered to CloudWatch in a timely manner. Sending CloudTrail logs to CloudWatch allows for easy interaction with AWS CloudWatch alerts as well as additional backup log storage.


      Recommended Action: Enable CloudTrail CloudWatch integration for all regions.

      About the Service :

      AWS CloudTrail is an AWS service that allows you to manage your AWS account's governance, compliance, operational, and risk auditing. In CloudTrail, actions done by a user, role, or AWS service are recorded as events. Actions made in the AWS Management Console, AWS Command Line Interface, and AWS SDKs and APIs are all considered events.

      Impact: 

      You won't be able to manage your AWS infrastructure efficiently without the CloudTrail - CloudWatch combination. For example, you won't get an SNS notification if your AWS account's authorization fails, thus you won't have as much control over account user access.

      Steps to reproduce :

      1. Sign in to your AWS management console.
      2. Navigate to the CloudTrail dashboard at: https://console.aws.amazon.com/cloudtrail/
      3. On the left panel, select Trails.
      4. Click on the trail you want to examine.
      5. Check the CloudWatch Logs section.
      6. If there aren't any CloudWatch Logs log groups defined, you must create one in order to enable CloudTrail integration with CloudWatch.

      Steps for remediation :

      Create a custom log group for the selected CloudTrail trail in order to enable AWS CloudWatch monitoring.

      1. Sign in to your AWS management console.
      2. Navigate to the CloudTrail dashboard at: https://console.aws.amazon.com/cloudtrail/
      3. On the left panel, select Trails.
      4. Click on the trail you want to examine.
      5. Check the CloudWatch Logs section and click Edit.
      6. For the CloudWatch logs option click on the Enable checkbox to select it.
      7. In the New or existing log group field, enter a name for a new or existing CloudWatch log group and click Continue.
      8. Do the same for the IAM role as we did for log groups in sub-step 7.
      9. Click on Save changes.

      Create a Simple Notification Service (SNS) topic in order to send notifications whenever the CloudWatch alarm will fire based on a selected CloudTrail log event.
      1. Sign in to your AWS management console.
      2. Navigate to the SNS dashboard at: https://console.aws.amazon.com/sns/v2/
      3. Select Topics from the left navigation panel and click the Create new subject button.
      4. In the Create new topic dialog box, enter a name and a display name (optional) for the topic and click Create Topic.
      5. Select the newly created SNS topic by clicking on its ARN name.
      6. Under the Subscription section, click Create Subscription.
      7. From the Protocol selection list, choose a subscription protocol.
      8. Click and enter the email address where you'd want to receive CloudWatch alarm notifications. Make a Subscription.
      9. Open the message from AWS Notifications in your email client application, then click the appropriate link to confirm your membership.

      Create AWS CloudWatch metric filters, metrics, and alarms to receive SNS notifications and take immediate action.


      References: