v1.0 for Steampipe, Powerpipe, Flowpipe, 116 plugins, and 44 mods →
Powerpipe Hub 
Hub
Mods
turbot/aws_compliance
Overview
32Dashboards
1295Controls
585Queries
4Variables
GitHub

Control: 1 CloudTrail should be enabled and configured with at least one multi-Region trail

Description

This control checks that there is at least one multi-Region CloudTrail trail.

AWS CloudTrail records AWS API calls for your account and delivers log files to you. The recorded information includes the following information.

  • Identity of the API caller
  • Time of the API call
  • Source IP address of the API caller
  • Request parameters
  • Response elements returned by the AWS service

CloudTrail provides a history of AWS API calls for an account, including API calls made from the AWS Management Console, AWS SDKs, command line tools. The history also includes API calls from higher-level AWS services such as AWS CloudFormation.

  • The AWS API call history produced by CloudTrail enables security analysis, resource change tracking, and compliance auditing. Multi-Region trails also provide the following benefits.
  • A multi-Region trail helps to detect unexpected activity occurring in otherwise unused Regions.
  • A multi-Region trail ensures that global service event logging is enabled for a trail by default. Global service event logging records events generated by AWS global services.
  • For a multi-Region trail, management events for all read and write operations ensure that CloudTrail records management operations on all of an AWS account’s resources.

By default, CloudTrail trails that are created using the AWS Management Console are multi-Region trails.

Remediation

To remediate this issue, create a new multi-Region trail in CloudTrail.

To create a new trail in CloudTrail

  1. Open the CloudTrail console.
  2. If you haven't used CloudTrail before, choose Get Started Now.
  3. Choose Trails and then choose Create trail.
  4. Enter a name for the trail.
  5. Under Storage location, do one of the following:
    • To create a new S3 bucket for CloudTrail logs, for Create a new S3 bucket, choose Yes, then enter a name for the new S3 bucket.
    • To use an existing S3 bucket, for Create a new S3 bucket, choose No, then select the S3 bucket to use.
  6. Under Additional settings, choose Advanced. For Enable log file validation, select Enabled.
  7. Choose Create.

To update an existing trail in CloudTrail

  1. Open the CloudTrail console.
  2. Choose Trails.
  3. In the Name column, choose the name of the trail.
  4. For Management events, choose Edit.
  5. For Read/Write events, select Management events.
  6. Under API Activity, select Read and Write.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.foundational_security_cloudtrail_1

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.foundational_security_cloudtrail_1 --share

SQL

This control uses a named query:

cloudtrail_multi_region_trail_enabled

Tags

aws_foundational_security = true
category = Compliance
foundational_security_category = logging
foundational_security_item_id = cloudtrail_1
plugin = aws
service = AWS/CloudTrail