Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

CloudTrail Integrated With CloudWatch

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: CT-009

Ensure that the CloudWatch Logs service is configured to monitor Amazon CloudTrail trail logs and notifies you when specific activity occurs. This enables you to respond quickly to critical events captured with Amazon CloudTrail and detected by CloudWatch Logs.

This rule can help you with the following compliance standards:

  • CISAWSF
  • PCI
  • GDPR
  • APRA
  • MAS
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

With CloudTrail – CloudWatch integration enabled, you will be able to better manage your AWS cloud infrastructure. For example, you can receive an SNS notification whenever an authorization failure occurs for your AWS account so you can have finer control over the user access to your cloud account.

Audit

To determine if CloudTrail – CloudWatch integration is enabled, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon CloudTrail console at https://console.aws.amazon.com/cloudtrail/.

03 In the navigation panel, under CloudTrail, choose Trails.

04 Click on the name (link) of the Amazon CloudTrail trail that you want to examine.

05 In the CloudWatch Logs section, check the Log group attribute value. If the Log group attribute is not listed in the CloudWatch Logs section and the following message is displayed: CloudWatch Logs is not configured for this trail, the selected Amazon CloudTrail trail is not configured to send events to CloudWatch Logs for monitoring purposes.

06 Repeat steps no. 4 and 5 for each Amazon CloudTrail trail created for your AWS cloud account.

Using AWS CLI

01 Run list-trails command (OSX/Linux/UNIX) with custom query filters to list the names of all the Amazon CloudTrail trails created for your AWS cloud account: 

aws cloudtrail list-trails
  --region us-east-1
  --query 'Trails[*].Name'

02 The command output should return an array with the requested CloudTrail trail names: 

[
    "cc-project5-api-trail",
    "cc-data-events-trail"
]

03 Run describe-trails command (OSX/Linux/UNIX) using the name of the Amazon CloudTrail trail that you want to examine as the identifier parameter and custom query filters to describe the Amazon Resource Name (ARN) of the CloudWatch Logs log group associated with the selected trail: 

aws cloudtrail describe-trails
  --region us-east-1
  --trail-name-list cc-project5-api-trail
  --query 'trailList[*].CloudWatchLogsLogGroupArn'

04 The command output should return the requested log group ARN: 

[]

If the describe-trails command output returns an empty array (i.e. []), as shown in the example above, the selected Amazon CloudTrail trail is not configured to send events to CloudWatch Logs for monitoring purposes.

05 Repeat steps no. 3 and 4 for each Amazon CloudTrail trail available within your AWS cloud account.

Remediation / Resolution

To enable the CloudTrail – CloudWatch integration for your existing Amazon CloudTrail trails, perform the following operations:

Using AWS CloudFormation

01 CloudFormation template (JSON): 

{
    "AWSTemplateFormatVersion": "2010-09-09",
    "Description": "Enable Amazon CloudTrail – CloudWatch Integration",
    "Parameters": {
        "TrailName": {
            "Type": "String"
        },
        "BucketName": {
            "Type": "String"
        },
        "S3BucketKeyPrefix": {
            "Type": "String"
        }
    },
    "Resources": {
        "Trail": {
            "Type": "AWS::CloudTrail::Trail",
            "Properties": {
                "TrailName": {
                    "Ref": "TrailName"
                },
                "S3BucketName": {
                    "Ref": "BucketName"
                },
                "S3KeyPrefix": {
                    "Ref": "S3BucketKeyPrefix"
                },
                "IsLogging": true,
                "CloudWatchLogsLogGroupArn": "arn:aws:logs:us-east-1:123456789012:log-group:cc-trail-log-group:*",
                "CloudWatchLogsRoleArn": "arn:aws:iam::123456789012:role/service-role/cc-cloudwatch-logs-role"
            }
        }
    }
}

02 CloudFormation template (YAML): 

AWSTemplateFormatVersion: '2010-09-09'
Description: "Enable Amazon CloudTrail CloudWatch Integration"
Parameters:
  TrailName:
    Type: String
  BucketName:
    Type: String
  S3BucketKeyPrefix:
    Type: String
Resources:
  Trail:
    Type: AWS::CloudTrail::Trail
    Properties:
      TrailName: !Ref 'TrailName'
      S3BucketName: !Ref 'BucketName'
      S3KeyPrefix: !Ref 'S3BucketKeyPrefix'
      IsLogging: true
      CloudWatchLogsLogGroupArn: arn:aws:logs:us-east-1:123456789012:log-group:cc-trail-log-group:*
      CloudWatchLogsRoleArn: arn:aws:iam::123456789012:role/service-role/cc-cloudwatch-logs-role

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf): 

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 3.27"
    }
  }

  required_version = ">= 0.14.9"
}

provider "aws" {
  profile = "default"
  region  = "us-east-1"
}

data "aws_caller_identity" "current-account" {}

resource "aws_s3_bucket" "trail-s3-bucket" {

  bucket        = "cc-main-cloudtrail-bucket"
  force_destroy = true
  policy = <<POLICY
  {
      "Version": "2012-10-17",
      "Statement": [
          {
              "Sid": "AWSCloudTrailAclCheck",
              "Effect": "Allow",
              "Principal": {
                "Service": "cloudtrail.amazonaws.com"
              },
              "Action": "s3:GetBucketAcl",
              "Resource": "arn:aws:s3:::cc-main-cloudtrail-bucket"
          },
          {
              "Sid": "AWSCloudTrailWrite",
              "Effect": "Allow",
              "Principal": {
                "Service": "cloudtrail.amazonaws.com"
              },
              "Action": "s3:PutObject",
              "Resource": "arn:aws:s3:::cc-main-cloudtrail-bucket/cc-trail-logs/AWSLogs/${data.aws_caller_identity.current-account.account_id}/*",
              "Condition": {
                  "StringEquals": {
                      "s3:x-amz-acl": "bucket-owner-full-control"
                  }
              }
          }
      ]
  }
  POLICY

}

resource "aws_cloudwatch_log_group" "trail-log-group" {
  name = "cc-trail-log-group"
}


resource "aws_cloudtrail" "cloudtrail-trail" {

  name                          = "cc-main-cloud-trail"
  s3_bucket_name                = aws_s3_bucket.trail-s3-bucket.id
  s3_key_prefix                 = "cc-trail-logs"
  enable_logging                = true

  # Enable Amazon CloudTrail – CloudWatch Integration
  cloud_watch_logs_group_arn = "${aws_cloudwatch_log_group.trail-log-group.arn}:*"
  cloud_watch_logs_role_arn  = "arn:aws:iam::123456789012:role/service-role/cc-cloudwatch-logs-role"

}

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon CloudTrail console at https://console.aws.amazon.com/cloudtrail/.

03 In the navigation panel, under CloudTrail, choose Trails.

04 Click on the name (link) of the Amazon CloudTrail trail that you want to reconfigure.

05 In the CloudWatch Logs section choose Edit to change the configuration settings available for the selected trail.

06 On the Edit trail configuration page, in the CloudWatch Logs – optional section, perform the following actions:

  1. Select Enabled under CloudWatch Logs to enable the CloudTrail – CloudWatch integration for the selected trail.
  2. Choose New under Log group to create a new CloudWatch Logs log group and associate it with the selected trail. Provide a unique name for the new log group in the Log group name box.
  3. Choose New under IAM Role to create a new IAM role. Amazon CloudTrail will assume this role to send CloudTrail events to your newly created CloudWatch Logs log group. The IAM role policy has the required permissions to create a log stream within your CloudWatch Logs log group, and to deliver CloudTrail events to that log stream. Provide a unique name for the IAM role in the Role name box.
  4. Choose Save changes to apply the changes.

07 Repeat steps no. 4 – 6 for each Amazon CloudTrail trail that you want to reconfigure, available within your AWS cloud account.

Using AWS CLI

01 Run create-log-group command (OSX/Linux/UNIX) to create the CloudWatch Logs log group that Amazon CloudTrail service will use as a delivery endpoint for log events (the create-log-group command does not produce an output): 

aws logs create-log-group
  --region us-east-1
  --log-group-name cc-project5-trail-log-group

02 Run describe-log-groups command (OSX/Linux/UNIX) to describe the Amazon Resource Name (ARN) of the CloudWatch Logs log group created at the previous step: 

aws logs describe-log-groups
  --region us-east-1
  --log-group-name-prefix cc-project5-trail-log-group
  --query 'logGroups[*].arn'

03 The command output should return the requested log group ARN: 

[
    "arn:aws:logs:us-east-1:123456789012:log-group:cc-project5-trail-log-group:*"
]

04 Define the trust relationship policy for the required IAM role. Paste the following policy document to a JSON file named cc-iam-role-trust-policy.json: 

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "cloudtrail.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

05 Run create-role command (OSX/Linux/UNIX) to create the IAM role that Amazon CloudTrail will assume in order to send CloudTrail events to your new CloudWatch Logs log group, using the trust relationship policy defined at the previous step: 

aws iam create-role
  --role-name cc-project5-trail-iam-role
  --assume-role-policy-document file://cc-iam-role-trust-policy.json

06 The command output should return the metadata available for the new IAM role (including the role ARN): 

{
  "Role": {
      "AssumeRolePolicyDocument": {
          "Version": "2012-10-17",
          "Statement": [
              {
                  "Action": "sts:AssumeRole",
                  "Effect": "Allow",
                  "Principal": {
                      "Service": "cloudtrail.amazonaws.com"
                  }
              }
          ]
      },
      "RoleId": "AAAABBBBCCCCDDDDEEEE",
      "CreateDate": "2021-07-14T10:20:00Z",
      "RoleName": "cc-project5-trail-iam-role",
      "Path": "/",
      "Arn": "arn:aws:iam::123456789012:role/cc-project5-trail-iam-role"
  }
}

07 Create the required IAM role policy. This IAM policy defines the permissions to create a log stream within your new CloudWatch Logs log group, and to deliver CloudTrail events to that log stream. Replace the highlighted details with your own configuration details and save the following document to a JSON file named cc-cloudtrail-iam-role-policy.json: 

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AWSCloudTrailCreateLogStream",
            "Effect": "Allow",
            "Action": [
                "logs:CreateLogStream"
            ],
            "Resource": [
                "arn:aws:logs:<aws-region>:<aws-account-id>:log-group:<log-group-name>:log-stream:<aws-account-id>_CloudTrail_<aws-region>*"
            ]
        },
        {
            "Sid": "AWSCloudTrailPutLogEvents",
            "Effect": "Allow",
            "Action": [
                "logs:PutLogEvents"
            ],
            "Resource": [
                "arn:aws:logs:<aws-region>:<aws-account-id>:log-group:<log-group-name>:log-stream:<aws-account-id>_CloudTrail_<aws-region>*"
            ]
        }
    ]
}

08 Run put-role-policy command (OSX/Linux/UNIX) to apply the policy document defined at the previous step (i.e. cc-cloudtrail-iam-role-policy.json) to your new IAM role: 

aws iam put-role-policy
  --role-name cc-project5-trail-iam-role
  --policy-name cc-project5-trail-iam-policy
  --policy-document file://cc-cloudtrail-iam-role-policy.json

09 Run update-trail command (OSX/Linux/UNIX) using the name of the Amazon CloudTrail trail that you want to reconfigure as the identifier parameter, to enable the CloudTrail – CloudWatch integration for the selected trail. Specify the ARN of the log group to which log events will be delivered and the ARN of the IAM role that Amazon CloudTrail will assume to send CloudTrail events to the required log group: 

aws cloudtrail update-trail
  --region us-east-1
  --name cc-project5-api-trail
  --cloud-watch-logs-log-group-arn "arn:aws:logs:us-east-1:123456789012:log-group:cc-project5-trail-log-group:*"
  --cloud-watch-logs-role-arn "arn:aws:iam::123456789012:role/cc-project5-trail-iam-role"

10 The command output should return the metadata available for the reconfigured trail: 

{
    "IncludeGlobalServiceEvents": true,
    "IsOrganizationTrail": false,
    "Name": "cc-project5-api-trail",
    "TrailARN": "arn:aws:cloudtrail:us-east-1:123456789012:trail/cc-project5-api-trail",
    "LogFileValidationEnabled": false,
    "IsMultiRegionTrail": true,
    "S3BucketName": "cc-project5-cloudtrail-logs",
    "CloudWatchLogsRoleArn": "arn:aws:iam::123456789012:role/cc-project5-trail-iam-role",
    "CloudWatchLogsLogGroupArn": "arn:aws:logs:us-east-1:123456789012:log-group:cc-project5-trail-log-group:*"
}

11 Repeat steps no. 1 – 10 for each Amazon CloudTrail trail that you want to reconfigure, available in your AWS cloud account.

References

Publication date Apr 8, 2016

Related CloudTrail rules

Unlock the Remediation Steps

Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

Confirmity Cloud Platform

No thanks, back to article

You are auditing:

CloudTrail Integrated With CloudWatch

Risk Level: Medium