🛡️ AWS CloudTrail Trail is not integrated with CloudWatch Logs🟢

• Contextual name: 🛡️ Trail is not integrated with CloudWatch Logs🟢
• ID: /ce/ca/aws/cloudtrail/trail-cloudwatch-logs-integration
• Tags:
  • 🟢 Policy with categories
  • 🟢 Policy with type
  • 🟢 Production policy
• Policy Type: COMPLIANCE_POLICY
• Policy Categories: SECURITY, RELIABILITY

Logic

• 🧠 prod.logic.yaml🟠🟢
  • 📗 AWS CloudTrail Trail
  • 🧪 test-data.json

Similar Policies

• AWS Security Hub: [CloudTrail.5] CloudTrail trails should be integrated with Amazon CloudWatch Logs

Description

Open File

Description

This policy identifies AWS CloudTrail trails that are not configured to deliver trail events to Amazon CloudWatch Logs.

Rationale

Integrating CloudTrail with Amazon CloudWatch Logs provides centralized, near-real-time visibility into AWS API activity. Once trail events are available in CloudWatch Logs, security and operations teams can create metric filters, alarms, dashboards, and queries to detect suspicious behavior, investigate changes, and accelerate incident response.

CloudWatch Logs integration complements S3 log delivery by making audit events easier to monitor as they occur and correlate with other service logs.

Impact

Enabling CloudWatch Logs integration may increase AWS costs for log ingestion, storage, and retention. Review log retention settings and expected event volume to balance visibility with cost.

Audit

This policy flags an AWS CloudTrail Trail as INCOMPLIANT when either the CloudWatch Logs Log Group ARN or CloudWatch Logs Role ARN field is empty.

Trails are also flagged as INCOMPLIANT when CloudWatch Logs integration is configured but the associated Log Group or IAM Role is missing from the CMDB.

Remediation

Open File

Remediation

Configure CloudWatch Logs Integration

To support centralized monitoring and alerting for CloudTrail events, configure the trail to deliver logs to an Amazon CloudWatch Logs log group and specify an IAM role that CloudTrail can assume to publish log data.

From Command Line

If a target log group does not already exist, create one:

aws logs create-log-group \
  --region {{region}} \
  --log-group-name {{log-group-name}}

Create a trust policy document {{cloudtrail-trust-policy}}.json with the following content:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "cloudtrail.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

Create the IAM role that CloudTrail will assume to publish log events:

aws iam create-role \
  --role-name {{cloudtrail-cloudwatch-role}} \
  --assume-role-policy-document file://{{cloudtrail-trust-policy}}.json

Create a permissions policy document {{cloudtrail-cloudwatch-policy}}.json with the following content:

... see more

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [CloudTrail.5] CloudTrail trails should be integrated with Amazon CloudWatch Logs			1		no data
💼 Cloudaware Framework → 💼 Logging and Monitoring Configuration			78		no data
💼 FedRAMP High Security Controls → 💼 AC-2(4) Automated Audit Actions (M)(H)			22		no data
💼 FedRAMP High Security Controls → 💼 AC-6(9) Log Use of Privileged Functions (M)(H)		7	32		no data
💼 FedRAMP High Security Controls → 💼 AU-2 Event Logging (L)(M)(H)			27		no data
💼 FedRAMP High Security Controls → 💼 AU-3 Content of Audit Records (L)(M)(H)	1		38		no data
💼 FedRAMP High Security Controls → 💼 AU-6(1) Automated Process Integration (M)(H)			5		no data
💼 FedRAMP High Security Controls → 💼 AU-6(3) Correlate Audit Record Repositories (M)(H)			17		no data
💼 FedRAMP High Security Controls → 💼 AU-6(4) Central Review and Analysis (H)			17		no data
💼 FedRAMP High Security Controls → 💼 AU-6(5) Integrated Analysis of Audit Records (H)			4		no data
💼 FedRAMP High Security Controls → 💼 AU-7(1) Automatic Processing (M)(H)			3		no data
💼 FedRAMP High Security Controls → 💼 AU-10 Non-repudiation (H)			16		no data
💼 FedRAMP High Security Controls → 💼 AU-12 Audit Record Generation (L)(M)(H)	2		74		no data
💼 FedRAMP High Security Controls → 💼 CA-7 Continuous Monitoring (L)(M)(H)	2		28		no data
💼 FedRAMP High Security Controls → 💼 SI-4(5) System-generated Alerts (M)(H)			4		no data
💼 FedRAMP High Security Controls → 💼 SI-4(20) Privileged Users (H)		48	57		no data
💼 FedRAMP Low Security Controls → 💼 AU-2 Event Logging (L)(M)(H)			27		no data
💼 FedRAMP Low Security Controls → 💼 AU-3 Content of Audit Records (L)(M)(H)			24		no data
💼 FedRAMP Low Security Controls → 💼 AU-12 Audit Record Generation (L)(M)(H)			74		no data
💼 FedRAMP Low Security Controls → 💼 CA-7 Continuous Monitoring (L)(M)(H)	1		28		no data
💼 FedRAMP Moderate Security Controls → 💼 AC-2(4) Automated Audit Actions (M)(H)			22		no data
💼 FedRAMP Moderate Security Controls → 💼 AC-6(9) Log Use of Privileged Functions (M)(H)			32		no data
💼 FedRAMP Moderate Security Controls → 💼 AU-2 Event Logging (L)(M)(H)			27		no data
💼 FedRAMP Moderate Security Controls → 💼 AU-3 Content of Audit Records (L)(M)(H)	1		38		no data
💼 FedRAMP Moderate Security Controls → 💼 AU-6(1) Automated Process Integration (M)(H)			5		no data
💼 FedRAMP Moderate Security Controls → 💼 AU-6(3) Correlate Audit Record Repositories (M)(H)			17		no data
💼 FedRAMP Moderate Security Controls → 💼 AU-7(1) Automatic Processing (M)(H)			3		no data
💼 FedRAMP Moderate Security Controls → 💼 AU-12 Audit Record Generation (L)(M)(H)			74		no data
💼 FedRAMP Moderate Security Controls → 💼 CA-7 Continuous Monitoring (L)(M)(H)	2		28		no data
💼 FedRAMP Moderate Security Controls → 💼 SI-4(5) System-generated Alerts (M)(H)			4		no data
💼 NIST CSF v2.0 → 💼 DE.AE-02: Potentially adverse events are analyzed to better understand associated activities			51		no data
💼 NIST CSF v2.0 → 💼 DE.AE-03: Information is correlated from multiple sources			66		no data
💼 NIST CSF v2.0 → 💼 DE.CM-01: Networks and network services are monitored to find potentially adverse events			185		no data
💼 NIST CSF v2.0 → 💼 DE.CM-02: The physical environment is monitored to find potentially adverse events			28		no data
💼 NIST CSF v2.0 → 💼 DE.CM-03: Personnel activity and technology usage are monitored to find potentially adverse events			105		no data
💼 NIST CSF v2.0 → 💼 DE.CM-06: External service provider activities and services are monitored to find potentially adverse events			51		no data
💼 NIST CSF v2.0 → 💼 DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events			182		no data
💼 NIST CSF v2.0 → 💼 ID.IM-01: Improvements are identified from evaluations			47		no data
💼 NIST CSF v2.0 → 💼 ID.IM-02: Improvements are identified from security tests and exercises, including those done in coordination with suppliers and relevant third parties			61		no data
💼 NIST CSF v2.0 → 💼 ID.IM-03: Improvements are identified from execution of operational processes, procedures, and activities			62		no data
💼 NIST CSF v2.0 → 💼 ID.RA-01: Vulnerabilities in assets are identified, validated, and recorded			47		no data
💼 NIST CSF v2.0 → 💼 ID.RA-07: Changes and exceptions are managed, assessed for risk impact, recorded, and tracked			50		no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-2(4) Account Management _ Automated Audit Actions		14	22		no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-4(26) Information Flow Enforcement _ Audit Filtering Actions			18		no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-6(9) Least Privilege _ Log Use of Privileged Functions		17	25		no data
💼 NIST SP 800-53 Revision 5 → 💼 AU-2 Event Logging	4		27		no data
💼 NIST SP 800-53 Revision 5 → 💼 AU-3 Content of Audit Records	3	13	38		no data
💼 NIST SP 800-53 Revision 5 → 💼 AU-6(1) Audit Record Review, Analysis, and Reporting _ Automated Process Integration		1	5		no data
💼 NIST SP 800-53 Revision 5 → 💼 AU-6(3) Audit Record Review, Analysis, and Reporting _ Correlate Audit Record Repositories			17		no data
💼 NIST SP 800-53 Revision 5 → 💼 AU-6(4) Audit Record Review, Analysis, and Reporting _ Central Review and Analysis			17		no data
💼 NIST SP 800-53 Revision 5 → 💼 AU-6(5) Audit Record Review, Analysis, and Reporting _ Integrated Analysis of Audit Records			4		no data
💼 NIST SP 800-53 Revision 5 → 💼 AU-7(1) Audit Record Reduction and Report Generation _ Automatic Processing		1	3		no data
💼 NIST SP 800-53 Revision 5 → 💼 AU-10 Non-repudiation	5		16		no data
💼 NIST SP 800-53 Revision 5 → 💼 AU-12 Audit Record Generation	4	47	74		no data
💼 NIST SP 800-53 Revision 5 → 💼 CA-7 Continuous Monitoring	6		28		no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-7(9) Boundary Protection _ Restrict Threatening Outgoing Communications Traffic			35		no data
💼 NIST SP 800-53 Revision 5 → 💼 SI-3(8) Malicious Code Protection _ Detect Unauthorized Commands			13		no data
💼 NIST SP 800-53 Revision 5 → 💼 SI-4(5) System Monitoring _ System-generated Alerts			4		no data
💼 NIST SP 800-53 Revision 5 → 💼 SI-4(20) System Monitoring _ Privileged Users			12		no data
💼 NIST SP 800-53 Revision 5 → 💼 SI-7(8) Software, Firmware, and Information Integrity _ Auditing Capability for Significant Events			17		no data
💼 NIST SP 800-53 Revision 5 → 💼 SI-20 Tainting			4		no data
💼 PCI DSS v3.2.1 → 💼 10.5.3 Promptly back up audit trail files to a centralized log server or media that is difficult to alter.			3		no data
💼 PCI DSS v3.2.1 → 💼 10.5.4 Write logs for external-facing technologies onto a secure, centralized, internal log server or media device.			3		no data
💼 PCI DSS v4.0.1 → 💼 10.3.3 Audit log files, including those for external-facing technologies, are promptly backed up to a secure, central, internal log server(s) or other media that is difficult to modify.			3		no data
💼 PCI DSS v4.0 → 💼 10.3.3 Audit log files, including those for external-facing technologies, are promptly backed up to a secure, central, internal log server(s) or other media that is difficult to modify.			3		no data