Ensure AWS CloudTrail is enabled in all regions

Error: AWS CloudTrail is not enabled in all regions

Bridgecrew Policy ID: BC_AWS_LOGGING_1
Checkov Check ID: CKV_AWS_67
Severity: CRITICAL

AWS CloudTrail is not enabled in all regions

Description

AWS CloudTrail is a web service that records AWS API calls for your account and delivers log files to you. The recorded information includes: the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. CloudTrail provides a history of AWS API calls for an account, including API calls made via the Management Console, SDKs, command line tools, and higher-level AWS services such as CloudFormation.

The AWS API call history produced by CloudTrail enables security analysis, resource change tracking, and compliance auditing. AWS CloudTrail provides additional multi-region security:

  • Ensuring that a multi-regions trail exists will detect unexpected activity occurring in otherwise unused regions.
  • Ensuring that a multi-regions trail exists will enable Global Service Logging for a trail by default, capturing records of events generated on AWS global services.
  • For a multi-regions trail, ensuring that management events are configured for all types of Read/Write operations, results in the recording of management actions performed on all resources in an AWS account.

Fix - Runtime

AWS Console

To enable global (multi-region) CloudTrail logging, follow these steps:

  1. Log in to the AWS Management Console at https://console.aws.amazon.com/.
  2. Open the Cloudtrail dashboard.
  3. On the left navigation pane, click Trails.
  4. Click Get Started Now.
  5. Click Add new trail .
  6. Enter a trail name in the Trail name box.
  7. Set Apply trail to all regions option to Yes.
  8. Enter an S3 bucket name in the S3 bucket box.
  9. Click Create.

If one or more trail already exist, select the target trail to enable global logging, using the following steps:

  1. Next to Apply trail to all regions, click the edit icon (pencil) and select Yes.
  2. Click Save.
  3. Next to Management Events, click the edit icon (pencil) and select All Read/Write Events.
  4. Click Save.

CLI Command

To create a multi-region trail, use the following command:

aws cloudtrail create-trail 
--name <trail_name> 
--bucket-name <s3_bucket_for_cloudtrail> 
--is-multi-region-trail aws cloudtrail update-trail 
--name <trail_name> 
--is-multi-region-trail 

📘

Note

Creating a CloudTrail with a CLI command, without providing any overriding options, configures Read/Write Management Events to All.

Fix - Buildtime

CloudFormation

  • Resource: AWS::CloudTrail::Trail
  • Argument: Properties.IsMultiRegionTrail
Resources: 
  MyTrail:
    Type: AWS::CloudTrail::Trail
    Properties: 
      ...
+     IsMultiRegionTrail: True

Fix - Buildtime

Terraform

  • Resource: aws_cloudtrail
  • Argument: is_multi_region_trail - (Optional) Specifies whether the trail is created in the current region or in all regions. Defaults to false.
resource "aws_cloudtrail" "foobar" {
  name                          = "tf-trail-foobar"
  s3_bucket_name                = aws_s3_bucket.foo.id
  s3_key_prefix                 = "prefix"
  include_global_service_events = false
+ is_multi_region_trail = true
}

Did this page help you?