Ensure Cloudwatch Integration | Vulnerability Database

CloudTrail logs should be stored in S3 and also sent to CloudWatch Logs

CloudTrail is a web service that records AWS API calls made in a given account. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service.

CloudTrail uses Amazon S3 for log file storage and delivery, so log files are stored durably. In addition to capturing CloudTrail logs in a specified Amazon S3 bucket for long-term analysis, you can perform real-time analysis by configuring CloudTrail to send logs to CloudWatch Logs.

For a trail that is enabled in all Regions in an account, CloudTrail sends log files from all those Regions to a CloudWatch Logs log group.

Impact

Realtime log analysis is not available without enabling CloudWatch logging

Recommended Actions

Follow the appropriate remediation steps below to resolve the issue.

Enable logging to CloudWatch

1
2
3
4
5
6
7


Resources:
  GoodExampleTrail:
    Type: AWS::CloudTrail::Trail
    Properties:
      TrailName: "Cloudtrail"
      CloudWatchLogsLogGroupArn: "arn:aws:logs:us-east-1:123456789012:log-group:CloudTrail/DefaultLogGroup:*"

Enable logging to CloudWatch

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20


 resource "aws_cloudtrail" "good_example" {
   is_multi_region_trail = true
   cloud_watch_logs_group_arn = "${aws_cloudwatch_log_group.example.arn}:*" 

 
   event_selector {
     read_write_type           = "All"
     include_management_events = true
 
     data_resource {
       type = "AWS::S3::Object"
       values = ["${data.aws_s3_bucket.important-bucket.arn}/"]
     }
   }
 }

resource "aws_cloudwatch_log_group" "example" {
  name = "Example"
}
 

Remediation Links

https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudtrail