Ensure CloudTrail logging in All Regions is enabled

Error: CloudTrail logging in All Regions is not enabled

Bridgecrew Policy ID: BC_AWS_LOGGING_14
Severity: LOW

CloudTrail logging in All Regions is not enabled

Description

You can configure CloudTrail to deliver log files from multiple regions to a single S3 bucket for a single account. When you change an existing single-region trail to log all regions, CloudTrail logs events from all regions in your account.

Enabling global monitoring for CloudTrail will help you manage your AWS account and maintain the security of a global infrastructure. Multiple region auditing enables storing log files from all regions in a single S3 bucket and a single CloudWatch Logs group. It also enables managing all configurations for all regions from one location and recording of API calls in regions that are not used to detect any abnormal activity.

Fix - Runtime

AWS Console

  1. Log in to the AWS Management Console at [https://console.aws.amazon.com/].
  2. Navigate to CloudTrail.
  3. In the left navigation, click Trails. Select Create trail, enter a Trail name.
  4. In Apply trail to all regions, select Yes.
  5. In Management events, select All for Read/write events.
  6. In Create a new S3 bucket, select Yes.
  7. In the S3 bucket, enter a name and click Create.

CLI Command

To change an existing trail so that it applies to all Regions, add the --is-multi-region-trail option to the update-trail command.

aws cloudtrail update-trail 
--name my-trail 
--is-multi-region-trail

Fix - Buildtime

Terraform

  • Resource: aws_cloudtrail
  • Argument: is_multi_region_trail - (Optional) Specifies whether the trail is created in the current region or in all regions. Defaults to false.
resource "aws_cloudtrail" "foobar" {
  name                          = "tf-trail-foobar"
  s3_bucket_name                = aws_s3_bucket.foo.id
  s3_key_prefix                 = "prefix"
  include_global_service_events = false
+ is_multi_region_trail = true
}