Powerpipe Detection Mods →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-aws-compliance
Overview
32Dashboards
1295Benchmarks
585Queries
4Variables
GitHub

Control: CloudTrail trails should have insight selectors and logging enabled

Description

CloudTrail Insights provides a powerful way to search and analyze CloudTrail log data using pre-built queries and machine learning algorithms. This can help to identify potential security threats and suspicious activity in near real-time, such as unauthorized access attempts, policy changes, or resource modifications.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.cloudtrail_trail_insight_selectors_and_logging_enabled

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.cloudtrail_trail_insight_selectors_and_logging_enabled --share

SQL

This control uses a named query:

select
  arn as resource,
  case
    when not is_logging then 'alarm'
    when is_logging and has_insight_selectors then 'ok'
    else 'alarm'
  end as status,
  case
    when not is_logging then title || ' logging is disabled.'
    when is_logging and has_insight_selectors then title || ' has insight selectors and logging enabled.'
    else title || ' does not has insight selectors enabled.'
  end as reason
  
  , region, account_id
from
  aws_cloudtrail_trail
where
  region = home_region;

Tags

category = Compliance
plugin = aws
service = AWS/CloudTrail