Skip to main content

CloudTrail should be enabled and configured with at least one multi-Region trail that includes read and write management events

Severity: High

Resource Types: AWS::CloudTrail::Trail

Description

This control checks that there is at least one multi-Region CloudTrail trail.

AWS CloudTrail records AWS API calls for your account and delivers log files to you. The recorded information includes the following information.

  • Identity of the API caller
  • Time of the API call
  • Source IP address of the API caller
  • Request parameters
  • Response elements returned by the AWS service

CloudTrail provides a history of AWS API calls for an account, including API calls made from the AWS Management Console, AWS SDKs, command line tools. The history also includes API calls from higher-level AWS services such as AWS CloudFormation.

  • The AWS API call history produced by CloudTrail enables security analysis, resource change tracking, and compliance auditing. Multi-Region trails also provide the following benefits.
  • A multi-Region trail helps to detect unexpected activity occurring in otherwise unused Regions.
  • A multi-Region trail ensures that global service event logging is enabled for a trail by default. Global service event logging records events generated by AWS global services.
  • For a multi-Region trail, management events for all read and write operations ensure that CloudTrail records management operations on all of an AWS account’s resources.

By default, CloudTrail trails that are created using the AWS Management Console are multi-Region trails.

Remediation

To remediate this issue, create a new multi-Region trail in CloudTrail.

To create a new trail in CloudTrail

  1. Open the CloudTrail console.
  2. If you haven't used CloudTrail before, choose Get Started Now.
  3. Choose Trails and then choose Create trail.
  4. Enter a name for the trail.
  5. Under Storage location, do one of the following:
    • To create a new S3 bucket for CloudTrail logs, for Create a new S3 bucket, choose Yes, then enter a name for the new S3 bucket.
    • To use an existing S3 bucket, for Create a new S3 bucket, choose No, then select the S3 bucket to use.
  6. Under Additional settings, choose Advanced. For Enable log file validation, select Enabled.
  7. Choose Create.

To update an existing trail in CloudTrail

  1. Open the CloudTrail console.
  2. Choose Trails.
  3. In the Name column, choose the name of the trail.
  4. For Management events, choose Edit.
  5. For Read/Write events, select Management events.
  6. Under API Activity, select Read and Write.