🚀Launch Week 07, January 27th - 31st, 2025🚀
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-aws-compliance
Overview
32Dashboards
1295Benchmarks
585Queries
4Variables
GitHub

Control: 1 CloudTrail should be enabled and configured with at least one multi-Region trail

Description

This control checks that there is at least one multi-Region CloudTrail trail.

AWS CloudTrail records AWS API calls for your account and delivers log files to you. The recorded information includes the following information.

  • Identity of the API caller
  • Time of the API call
  • Source IP address of the API caller
  • Request parameters
  • Response elements returned by the AWS service

CloudTrail provides a history of AWS API calls for an account, including API calls made from the AWS Management Console, AWS SDKs, command line tools. The history also includes API calls from higher-level AWS services such as AWS CloudFormation.

  • The AWS API call history produced by CloudTrail enables security analysis, resource change tracking, and compliance auditing. Multi-Region trails also provide the following benefits.
  • A multi-Region trail helps to detect unexpected activity occurring in otherwise unused Regions.
  • A multi-Region trail ensures that global service event logging is enabled for a trail by default. Global service event logging records events generated by AWS global services.
  • For a multi-Region trail, management events for all read and write operations ensure that CloudTrail records management operations on all of an AWS account’s resources.

By default, CloudTrail trails that are created using the AWS Management Console are multi-Region trails.

Remediation

To remediate this issue, create a new multi-Region trail in CloudTrail.

To create a new trail in CloudTrail

  1. Open the CloudTrail console.
  2. If you haven't used CloudTrail before, choose Get Started Now.
  3. Choose Trails and then choose Create trail.
  4. Enter a name for the trail.
  5. Under Storage location, do one of the following:
    • To create a new S3 bucket for CloudTrail logs, for Create a new S3 bucket, choose Yes, then enter a name for the new S3 bucket.
    • To use an existing S3 bucket, for Create a new S3 bucket, choose No, then select the S3 bucket to use.
  6. Under Additional settings, choose Advanced. For Enable log file validation, select Enabled.
  7. Choose Create.

To update an existing trail in CloudTrail

  1. Open the CloudTrail console.
  2. Choose Trails.
  3. In the Name column, choose the name of the trail.
  4. For Management events, choose Edit.
  5. For Read/Write events, select Management events.
  6. Under API Activity, select Read and Write.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.foundational_security_cloudtrail_1

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.foundational_security_cloudtrail_1 --share

SQL

This control uses a named query:

with multi_region_trails as (
  select
    account_id,
    count(account_id) as num_multregion_trails
  from
    aws_cloudtrail_trail
  where
    is_multi_region_trail and region = home_region
    and is_logging
  group by
    account_id,
    is_multi_region_trail
), organization_trails as (
  select
    is_organization_trail,
    is_logging,
    is_multi_region_trail,
    account_id
  from
    aws_cloudtrail_trail
  where
    is_organization_trail
)
select
  distinct a.arn as resource,
  case
    when coalesce(num_multregion_trails, 0) >= 1 then 'ok'
    when o.is_organization_trail and o.is_logging and o.is_multi_region_trail then 'ok'
    when o.is_organization_trail and o.is_multi_region_trail and o.is_logging is null then 'info'
    else 'alarm'
  end as status,
  case
    when coalesce(num_multregion_trails, 0) >= 1 then a.title || ' has ' || coalesce(num_multregion_trails, 0) || ' multi-region trail(s).'
    when o.is_organization_trail and o.is_logging and o.is_multi_region_trail then a.title || ' has multi-region trail(s).'
    when o.is_organization_trail and o.is_multi_region_trail and o.is_logging is null then a.title || ' has organization trail, check organization account for cloudtrail logging status.'
    else a.title || ' does not have multi-region trail(s).'
  end as reason


  , a.account_id
from
  aws_account as a
  left join multi_region_trails as b on a.account_id = b.account_id
  left join organization_trails as o on a.account_id = o.account_id;

Tags

aws_foundational_security = true
category = Compliance
foundational_security_category = logging
foundational_security_item_id = cloudtrail_1
plugin = aws
service = AWS/CloudTrail