Skip to main content

πŸ›‘οΈ AWS Account Multi-Region CloudTrail is not enabled🟒

  • Contextual name: πŸ›‘οΈ Multi-Region CloudTrail is not enabled🟒
  • ID: /ce/ca/aws/account/multi-region-cloudtrail
  • Tags:
  • Policy Type: COMPLIANCE_POLICY
  • Policy Categories: SECURITY, RELIABILITY

Logic​

Similar Policies​

Similar Internal Rules​

RulePoliciesFlags
βœ‰οΈ dec-z-3ba226c71

Description​

Open File

Description​

AWS CloudTrail is a web service that records AWS API calls for your account and delivers log files to you. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. CloudTrail provides a history of AWS API calls for an account, including API calls made via the Management Console, SDKs, command line tools, and higher-level AWS services (such as CloudFormation).

Rationale​

The AWS API call history produced by CloudTrail enables security analysis, resource change tracking, and compliance auditing. Additionally,

  • Ensuring that a multi-regions trail exists will ensure that unexpected activity occurring in otherwise unused regions is detected.
  • Ensuring that a multi-regions trail exists will ensure that Global Service Logging is enabled for a trail by default to capture recording of events generated on AWS global services.
  • For a multi-regions trail, ensuring that management events configured for all type of Read/Writes ensures recording of management operations that are performed on all resources in an AWS account.

... see more

Remediation​

Open File

Remediation​

Perform the following to enable global (Multi-region) CloudTrail logging:

From Console​

  1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/cloudtrail.

  2. Click on Trails on the left navigation pane.

  3. Click Get Started Now, if presented.

  • Click Add new trail.

  • Enter a trail name in the Trail name box.

  • A trail created in the console is a multi-region trail by default.

  • Specify an S3 bucket name in the S3 bucket box.

  • Specify the AWS KMS alias under the Log file SSE-KMS encryption section or create a new key.

  • Click Next.

  1. Ensure Management events check box is selected.
  2. Ensure both Read and Write are check under API activity.
  3. Click Next.
  4. Review your trail settings and click Create trail.

From Command Line​

Create a multi-region trail:

aws cloudtrail create-trail --name <trail_name> --bucket-name <s3_bucket_for_cloudtrail> --is-multi-region-trail aws cloudtrail update-trail --name <trail_name> --is-multi-region-trail

... [see more](remediation.md)

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [CloudTrail.1] CloudTrail should be enabled and configured with at least one multi-Region trail that includes read and write management events11no data
πŸ’Ό CIS AWS v1.2.0 β†’ πŸ’Ό 2.1 Ensure CloudTrail is enabled in all regions1no data
πŸ’Ό CIS AWS v1.3.0 β†’ πŸ’Ό 3.1 Ensure CloudTrail is enabled in all regions11no data
πŸ’Ό CIS AWS v1.4.0 β†’ πŸ’Ό 3.1 Ensure CloudTrail is enabled in all regions11no data
πŸ’Ό CIS AWS v1.5.0 β†’ πŸ’Ό 3.1 Ensure CloudTrail is enabled in all regions - Level 1 (Automated)11no data
πŸ’Ό CIS AWS v2.0.0 β†’ πŸ’Ό 3.1 Ensure CloudTrail is enabled in all regions - Level 1 (Automated)11no data
πŸ’Ό CIS AWS v3.0.0 β†’ πŸ’Ό 3.1 Ensure CloudTrail is enabled in all regions - Level 1 (Automated)11no data
πŸ’Ό CIS AWS v4.0.0 β†’ πŸ’Ό 3.1 Ensure CloudTrail is enabled in all regions (Automated)1no data
πŸ’Ό CIS AWS v4.0.1 β†’ πŸ’Ό 3.1 Ensure CloudTrail is enabled in all regions (Automated)1no data
πŸ’Ό CIS AWS v5.0.0 β†’ πŸ’Ό 3.1 Ensure CloudTrail is enabled in all regions (Manual)1no data
πŸ’Ό CIS AWS v6.0.0 β†’ πŸ’Ό 4.1 Ensure CloudTrail is enabled in all regions (Manual)1no data
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Logging and Monitoring Configuration72no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-2(4) Automated Audit Actions (M)(H)18no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-6(9) Log Use of Privileged Functions (M)(H)728no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AU-2 Event Logging (L)(M)(H)23no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AU-3 Content of Audit Records (L)(M)(H)134no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AU-6(3) Correlate Audit Record Repositories (M)(H)13no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AU-6(4) Central Review and Analysis (H)13no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AU-10 Non-repudiation (H)12no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AU-12 Audit Record Generation (L)(M)(H)270no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό CA-7 Continuous Monitoring (L)(M)(H)222no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό CM-3 Configuration Change Control (M)(H)437no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SI-4(20) Privileged Users (H)4853no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό AU-2 Event Logging (L)(M)(H)23no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό AU-3 Content of Audit Records (L)(M)(H)20no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό AU-12 Audit Record Generation (L)(M)(H)70no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό CA-7 Continuous Monitoring (L)(M)(H)122no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-2(4) Automated Audit Actions (M)(H)18no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-6(9) Log Use of Privileged Functions (M)(H)28no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AU-2 Event Logging (L)(M)(H)23no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AU-3 Content of Audit Records (L)(M)(H)134no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AU-6(3) Correlate Audit Record Repositories (M)(H)13no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AU-12 Audit Record Generation (L)(M)(H)70no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό CA-7 Continuous Monitoring (L)(M)(H)222no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό CM-3 Configuration Change Control (M)(H)221no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.AE-02: Potentially adverse events are analyzed to better understand associated activities45no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.AE-03: Information is correlated from multiple sources60no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-01: Networks and network services are monitored to find potentially adverse events170no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-02: The physical environment is monitored to find potentially adverse events22no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-03: Personnel activity and technology usage are monitored to find potentially adverse events95no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-06: External service provider activities and services are monitored to find potentially adverse events45no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events170no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.IM-01: Improvements are identified from evaluations37no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.IM-02: Improvements are identified from security tests and exercises, including those done in coordination with suppliers and relevant third parties51no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.IM-03: Improvements are identified from execution of operational processes, procedures, and activities52no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.RA-01: Vulnerabilities in assets are identified, validated, and recorded41no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.RA-07: Changes and exceptions are managed, assessed for risk impact, recorded, and tracked41no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-2(4) Account Management _ Automated Audit Actions1418no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-4(26) Information Flow Enforcement _ Audit Filtering Actions14no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-6(9) Least Privilege _ Log Use of Privileged Functions1721no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AU-2 Event Logging423no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AU-3 Content of Audit Records31334no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AU-6(3) Audit Record Review, Analysis, and Reporting _ Correlate Audit Record Repositories13no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AU-6(4) Audit Record Review, Analysis, and Reporting _ Central Review and Analysis13no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AU-10 Non-repudiation512no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AU-12 Audit Record Generation44770no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AU-14(1) Session Audit _ System Start-up1no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό CA-7 Continuous Monitoring622no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό CM-3 Configuration Change Control81737no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SA-8(22) Security and Privacy Engineering Principles _ Accountability and Traceability1no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-7(9) Boundary Protection _ Restrict Threatening Outgoing Communications Traffic29no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SI-3(8) Malicious Code Protection _ Detect Unauthorized Commands9no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SI-4(20) System Monitoring _ Privileged Users8no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SI-7(8) Software, Firmware, and Information Integrity _ Auditing Capability for Significant Events13no data