By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Does being compliant with cis-aws-foundations-benchmark-1.2.0/CloudWatch.4 in an organisation, with an organisation cloudtrail, require a 2nd trail to be compliant?

1

In my environment I have an AWS Organisation. For that organisation I have created a CloudTrail.

What I have been told is that to be compliant with the subject cis standard is to have another account level CloudTrail. The reasoning is that metric filters only exist for an organisation trail at the account they are created. Therefor to be compliant with the cis standards and for robustness I would need to create another account trail, where I would be able to create metric filters that achieve the standard.

Can someone please confirm this or elaborate as to why this is incorrect?

Topics
Management & GovernanceAWS Well-Architected Framework
Tags
AWS CloudTrailSecurityAWS Account ManagementLog Groups
Language
English
rePost-User-4720253
asked a year ago307 views
2 Answers
5

Yes , you are correct. You can use Security help to run checks on those mandatory guardrails and configurations in order to meet the compliance requirements.

The two in particular that you are referencing are:

  1. [CloudTrail.1] CloudTrail should be enabled and configured with at least one multi-Region trail that includes read and write management events
  2. [CloudTrail.3] CloudTrail should be enabled

You can verify the requirements here: AWS CloudTrail controls

[CloudTrail.1] CloudTrail should be enabled and configured with at least one multi-Region trail that includes read and write management events

Related requirements: CIS AWS Foundations Benchmark v1.2.0/2.1, CIS AWS Foundations Benchmark v1.4.0/3.1, NIST.800-53.r5 AC-2(4), NIST.800-53.r5 AC-4(26), NIST.800-53.r5 AC-6(9), NIST.800-53.r5 AU-10, NIST.800-53.r5 AU-12, NIST.800-53.r5 AU-2, NIST.800-53.r5 AU-3, NIST.800-53.r5 AU-6(3), NIST.800-53.r5 AU-6(4), NIST.800-53.r5 AU-14(1), NIST.800-53.r5 CA-7, NIST.800-53.r5 SC-7(9), NIST.800-53.r5 SI-3(8), NIST.800-53.r5 SI-4(20), NIST.800-53.r5 SI-7(8), NIST.800-53.r5 SA-8(22)

Category: Identify > Logging

Severity: High

Resource type: AWS::::Account

AWS Config rule: multi-region-cloudtrail-enabled

Schedule type: Periodic

Parameters:

  • readWriteType: ALL

This control checks that there is at least one multi-Region CloudTrail trail. It also checks that the ExcludeManagementEventSources parameter is empty for at least one of those trails.

AWS CloudTrail records AWS API calls for your account and delivers log files to you. The recorded information includes the following information.

  • Identity of the API caller

  • Time of the API call

  • Source IP address of the API caller

  • Request parameters

  • Response elements returned by the AWS service

CloudTrail provides a history of AWS API calls for an account, including API calls made from the AWS Management Console, AWS SDKs, command line tools. The history also includes API calls from higher-level AWS services such as AWS CloudFormation.

The AWS API call history produced by CloudTrail enables security analysis, resource change tracking, and compliance auditing. Multi-Region trails also provide the following benefits.

  • A multi-Region trail helps to detect unexpected activity occurring in otherwise unused Regions.

  • A multi-Region trail ensures that global service event logging is enabled for a trail by default. Global service event logging records events generated by AWS global services.

  • For a multi-Region trail, management events for all read and write operations ensure that CloudTrail records management operations on all resources in an AWS account.

By default, CloudTrail trails that are created using the AWS Management Console are multi-Region trails.

Note

This control is not supported in Middle East (UAE).

Remediation

To create a new multi-Region trail in CloudTrail, see Creating a trail in the AWS CloudTrail User Guide. Use the following values:

<table> <tr> <td><strong>Field</strong> </td> <td><strong>Value</strong> </td> </tr> <tr> <td>Additional settings, Log file validation </td> <td>Enabled </td> </tr> <tr> <td>Choose log events, Management events, API activity </td> <td><strong>Read</strong> and <strong>Write</strong> </td> </tr> </table>

To update an existing trail, see Updating a trail in the AWS CloudTrail User Guide. In Management events, for API activity, choose Read and Write.

[CloudTrail.3] CloudTrail should be enabled

Related requirements: PCI DSS v3.2.1/10.1, PCI DSS v3.2.1/10.2.1, PCI DSS v3.2.1/10.2.2, PCI DSS v3.2.1/10.2.3, PCI DSS v3.2.1/10.2.4, PCI DSS v3.2.1/10.2.5, PCI DSS v3.2.1/10.2.6, PCI DSS v3.2.1/10.2.7, PCI DSS v3.2.1/10.3.1, PCI DSS v3.2.1/10.3.2, PCI DSS v3.2.1/10.3.3, PCI DSS v3.2.1/10.3.4, PCI DSS v3.2.1/10.3.5, PCI DSS v3.2.1/10.3.6

Category: Identify > Logging

Severity: High

Resource type: AWS::::Account

AWS Config rule: cloudtrail-enabled

Schedule type: Periodic

Parameters: None

This control checks whether CloudTrail is enabled in your AWS account. The control fails if your account doesn't have at least one CloudTrail trail.

However, some AWS services do not enable logging of all APIs and events. You should implement any additional audit trails other than CloudTrail and review the documentation for each service in CloudTrail Supported Services and Integrations.

Remediation

To get started with CloudTrail and create a trail, see the Getting started with AWS CloudTrail tutorial in the AWS CloudTrail User Guide.

AWS
abemusa
answered a year ago
1

I agree with the feedback that has been provided. Landing Zone or AWS Organization construct CloudTrail configure in the Management Account consolidated CloudTrail Management Events, Data Events, and Insights events. The destination is the highly durable and resilient S3 bucket for the trails. CloudTrail behaves regionally and globally in AWS Partition US-EAST-1. The best practice is to create a "trail" that applies to all Regions in the AWS partition you are working on. And, AWS Organizations, or Landing Zone can work with CloudWatch Events to raise events when administrator-specified actions occur in an organization. This is the default setting when you create a trail in the CloudTrail console. CloudTrail Management events were covered. Additionally, CloudTrail data events, or data plane operations show resource operations performed on a resource in an AWS account. These operations are often high-volume activities. CloudTrail Insights analyzes your normal patterns of API call volume and API error rates, baseline, and generates Insights events when calls are made to volume or error rates that are outside normal patterns by API calls.

There is AWS Artifact, which is a central resource for compliance-related information for Organizational Compliance. AWS Artifact Reports can download AWS security and compliance documents, such as AWS ISO certifications, Payment Card Industry (PCI), and System and Organization Control (SOC). As stated complaints with cis-aws-foundations-benchmark-1.2.0 is an AWS Independent Software Vendor (ISV) partner. AWS is a Security Benchmarks Member company that includes guidelines for secure configurations for e.g., a subset of AWS cloud services. It also provides on-demand access to security as well as sells products on AWS Marketplace.

profile picture
WyCliffe
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content