Ensure CloudTrail trails are integrated with CloudWatch Logs

2.4 Logging (AWS CIS Benchmark).


AWS CloudTrail is a web service that records AWS API calls made in a given AWS account. The information recorded here includes the:

  • Identity of the API caller
  • Time of the API call
  • Source IP address of the API caller
  • Request parameters
  • Response elements returned by the AWS service.

CloudTrail uses Amazon S3 for log file storage and delivery. In addition to capturing CloudTrail logs within a specified S3 bucket for long-term analysis, real-time analysis can be performed by configuring CloudTrail to send logs to CloudWatch Logs. For a trail that is enabled in all regions within an account, CloudTrail sends log files from all regions to a CloudWatch Logs log group.

It is recommended that CloudTrail logs be sent to CloudWatch Logs.

Integrate CloudTrail trails with CloudWatch Logs via the AWS Management Console

Step 1. Log in to the AWS Management Console and open the CloudTrail console at https://console.aws.amazon.com/cloudtrail/.

Step 2. Under "All Buckets,"" click on the target bucket you want to evaluate.

Step 3. Click on Properties on the top right of the console.

Step 4. Click on Trails in the left menu.

Step 5. Click on each trail where no CloudWatch Logs are defined.

Step 6. Go to the "CloudWatch Logs" section and click on Configure.

Step 7. Define a new or select an existing log group.

Step 8. Click on Continue.

Step 9. Configure the IAM Role, which will deliver CloudTrail events to CloudWatch Logs.

Step 10. Create/Select an IAM Role and Policy Name.

Step 11. Click on Allow to continue.

Integrate CloudTrail trails with CloudWatch Logs via CLI

Run the following command:

aws cloudtrail update-trail --name <trail_name> --cloudwatch-logs-log-grouparn <cloudtrail_log_group_arn> --cloudwatch-logs-role-arn <cloudtrail_cloudwatchLogs_role_arn>