CloudTrail trails should have CloudWatch log integration enabled

Description

It is recommended that users configure CloudTrail to send log events to CloudWatch Logs. Users can then create CloudWatch Logs metric filters to search for specific terms such as a user or resource, or create CloudWatch alarms to trigger based on thresholds or anomalous activity.

Remediation Steps

AWS Console

  • Navigate to CloudTrail.

  • Click the trail name.

  • Navigate to the CloudWatch Logs section, and click Edit.

  • Select the Enabled box for CloudWatch logs.

  • For the log group, select an existing log group or create a new one, and enter the log group name.

  • For the IAM role, select an existing role or create a new one, and enter the role name.

  • Click Save changes.

AWS CLI

  • Enable CloudWatch Log Integration for CloudTrail:

    • aws cloudtrail update-trail --name <trail_name> --cloudwatch-logs-log-group-arn <cloudtrail_log_group_arn> --cloudwatch-logs-role-arn <cloudtrail_cloudwatchLogs_role_arn>

Terraform

  • Ensure that the aws_cloudtrail resource has a cloud_watch_logs_group_arn, and optionally, a cloud_watch_logs_role_arn if not using the default role arn.

Example Configuration

resource "aws_cloudtrail" "example" {
  cloud_watch_logs_group_arn = "${aws_cloudwatch_log_group.example.arn}:*"
  # other required fields here
}