CloudTrail trails should have CloudWatch log integration enabled

Description

It is recommended that users configure CloudTrail to send log events to CloudWatch Logs. Users can then create CloudWatch Logs metric filters to search for specific terms such as a user or resource, or create CloudWatch alarms to trigger based on thresholds or anomalous activity.

Remediation Steps

AWS Console

  • Navigate to CloudTrail.

  • Click the trail name.

  • Navigate to the CloudWatch Logs section, and click Edit.

  • Select the Enabled box for CloudWatch logs.

  • For the log group, select an existing log group or create a new one, and enter the log group name.

  • For the IAM role, select an existing role or create a new one, and enter the role name.

  • Click Save changes.

AWS CLI

  • Enable CloudWatch Log Integration for CloudTrail:

    • aws cloudtrail update-trail --name <trail_name> --cloudwatch-logs-log-group-arn <cloudtrail_log_group_arn> --cloudwatch-logs-role-arn <cloudtrail_cloudwatchLogs_role_arn>

CloudFormation

JSON

{
  "Properties": {
    "CloudWatchLogsLogGroupArn": {
      "Fn::ImportValue": "TrailLogGroupTestArn"
    }
  }
}
JSON Example Configuration
{
  "Type": "AWS::CloudTrail::Trail",
  "Properties": {
    "CloudWatchLogsLogGroupArn": {
      "Fn::ImportValue": "TrailLogGroupTestArn"
    }
  }
  # other required fields here
}

YAML

Properties:
  CloudWatchLogsLogGroupArn:
        Fn::ImportValue: "TrailLogGroupTestArn"
YAML Example Configuration
Type: AWS::CloudTrail::Trail
Properties:
  CloudWatchLogsLogGroupArn:
        Fn::ImportValue: "TrailLogGroupTestArn"
# other required fields here

Terraform

Example Configuration

resource "aws_cloudtrail" "example" {
  cloud_watch_logs_group_arn = "${aws_cloudwatch_log_group.example.arn}:*"
  # other required fields here
}