Ensure CloudTrail and CloudWatch logs are integrated

Error: CloudTrails and CloudWatch logs are not integrated

Bridgecrew Policy ID: BC_AWS_LOGGING_4
Severity: HIGH

CloudTrail and CloudWatch logs are not integrated

Description

AWS CloudTrail is a web service that records AWS API calls made in a given AWS account. The recorded information includes: the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service.

CloudTrail uses Amazon S3 for log file storage and delivery, resulting in durably stored log files. In addition to capturing CloudTrail logs within a specified S3 bucket for long term analysis, realtime analysis can be performed by configuring CloudTrail to send logs to CloudWatch Logs. For a trail in an account enabled in all regions, CloudTrail sends log files from all those regions to a CloudWatch Logs log group.

We recommend that CloudTrail logs be sent to CloudWatch Logs. Sending CloudTrail logs to CloudWatch Logs facilitates real-time and historic activity logging based on user, API, resource, and IP address. It also provides the opportunity to establish alarms and notifications for anomalous or sensitivity account activity.

📘

Note

The intent of this recommendation is to ensure AWS account activity is being captured, monitored, and appropriately alarmed. CloudWatch Logs is a native way to accomplish this using AWS services, but does not preclude the use of an alternate solution.

Fix - Runtime

AWS Console

To establish the prescribed state using the AWS management Console, follow these steps:

  1. Log in to the AWS Management Console at https://console.aws.amazon.com/.
  2. Open the Amazon CloudTrail console.
  3. Navigate to All Buckets, select the target bucket you wish to evaluate.
  4. At the top right of the console, click Properties.
  5. In the left menu, click Trails.
  6. Select each trail where no CloudWatch Logs are defined and navigate to the CloudWatch Logs section, and select Configure.
  7. Define a new or select an existing log group.
  8. Click Continue.
  9. Configure the IAM Role to deliver CloudTrail events to CloudWatch Logs.
  10. Create/Select an IAM Role and Policy Name.
  11. To continue, click Allow.

CLI Command

To change the policy, use the following command:

aws cloudtrail update-trail 
--name <trail_name> 
--cloudwatch-logs-log-group- arn <cloudtrail_log_group_arn> 
--cloudwatch-logs-role-arn <cloudtrail_cloudwatchLogs_role_arn>