CloudTrail trails should have CloudWatch log integration enabled

Description

It is recommended that users configure CloudTrail to send log events to CloudWatch Logs. Users can then create CloudWatch Logs metric filters to search for specific terms such as a user or resource, or create CloudWatch alarms to trigger based on thresholds or anomalous activity.

Note: CIS recognizes that there are alternative logging solutions instead of CloudWatch Logs. The intent of this recommendation is to capture, monitor, and appropriately alarm on an AWS account.

Console Remediation Steps

  • Navigate to CloudTrail.

  • Click View trails.

  • Edit the CloudTrail trails to have CloudWatch log integration enabled as described here.

CLI Remediation Steps

  • Enable CloudWatch Log Integration for CloudTrail:

    • aws cloudtrail update-trail --name <trail_name> --cloudwatch-logs-log-group-arn <cloudtrail_log_group_arn> --cloudwatch-logs-role-arn <cloudtrail_cloudwatchLogs_role_arn>