1. Open the AWS Management Console and navigate to the CloudTrail service.
2. Select the trail for which you want to enable CloudWatch Logs monitoring.
3. Click on the “Edit” button in the “CloudWatch Logs” section.
4. Select the option “Yes” for “Enable CloudWatch Logs”.
5. Choose a CloudWatch Logs log group to which you want to send the CloudTrail events.
6. Click on the “Save” button to save the changes.
7. Verify that the CloudWatch Logs integration is working by checking the log group for the CloudTrail events.

​

1. Open the AWS CLI on your local machine or EC2 instance.
2. Run the following command to create a new CloudWatch Logs group:
   Copy

   Ask AI

   aws logs create-log-group --log-group-name my-log-group-name
   

   Replace my-log-group-name with the name you want to give to your CloudWatch Logs group.
3. Run the following command to create a new CloudWatch Logs stream:
   Copy

   Ask AI

   aws logs create-log-stream --log-group-name my-log-group-name --log-stream-name my-log-stream-name
   

   Replace my-log-group-name with the name of the CloudWatch Logs group you created in step 2, and replace my-log-stream-name with the name you want to give to your CloudWatch Logs stream.
4. Run the following command to enable CloudTrail log file validation:
   Copy

   Ask AI

   aws cloudtrail update-trail --name my-trail-name --enable-log-file-validation
   

   Replace my-trail-name with the name of the CloudTrail trail you want to enable log file validation for.
5. Run the following command to configure CloudTrail to send events to your CloudWatch Logs group:
   Copy

   Ask AI

   aws cloudtrail update-trail --name my-trail-name --cloud-watch-logs-log-group-arn arn:aws:logs:us-east-1:123456789012:log-group:my-log-group-name --cloud-watch-logs-role-arn arn:aws:iam::123456789012:role/my-cloudtrail-role
   

   Replace my-trail-name with the name of the CloudTrail trail you want to configure, replace arn:aws:logs:us-east-1:123456789012:log-group:my-log-group-name with the ARN of the CloudWatch Logs group you created in step 2, and replace arn:aws:iam::123456789012:role/my-cloudtrail-role with the ARN of the IAM role you want to use for CloudTrail. Note: You need to have the required permissions to create CloudWatch Logs group, stream and IAM role.
6. Verify that CloudTrail events are being sent to your CloudWatch Logs group by checking the logs in the CloudWatch Logs console. Congratulations! You have successfully remediated the misconfiguration “CloudTrail Events Should Be Monitored By CloudWatch Logs” for AWS using AWS CLI.

1. Import the necessary modules:

import boto3

2. Create a CloudWatch Logs client:

cloudwatch_logs = boto3.client('logs')

3. Get a list of all the existing CloudTrail logs:

cloudtrail_logs = boto3.client('cloudtrail')
logs = cloudtrail_logs.describe_trails()

4. For each CloudTrail log, check if it is already being monitored by CloudWatch Logs:

for log in logs['trailList']:
    log_name = log['Name']
    response = cloudwatch_logs.describe_log_groups(logGroupNamePrefix=log_name)
    if not response['logGroups']:
        # Create a new log group for the CloudTrail log
        cloudwatch_logs.create_log_group(logGroupName=log_name)
    # Create a CloudWatch Logs subscription filter for the CloudTrail log
    cloudwatch_logs.put_subscription_filter(
        logGroupName=log_name,
        filterName='CloudTrailFilter',
        filterPattern='',
        destinationArn=''
    )

5. Replace the destinationArn parameter with the ARN of the CloudWatch Logs destination you want to use.
6. Save the Python script and run it to remediate the misconfiguration.