🛡️ AWS Account Multi-Region CloudTrail is not enabled🟢

Contextual name: 🛡️ Multi-Region CloudTrail is not enabled🟢
ID: /ce/ca/aws/account/multi-region-cloudtrail
Tags:
- 🟢 Policy with categories
- 🟢 Policy with type
- 🟢 Production policy
Policy Type: COMPLIANCE_POLICY
Policy Categories: SECURITY, RELIABILITY

Logic

🧠 prod.logic.yaml🟢
- 📗 AWS Account
- 🔌 AWS CloudTrail Trail - object.extracts.yaml
- 🧪 test-data.json

Similar Policies

AWS Security Hub: [CloudTrail.1] CloudTrail should be enabled and configured with at least one multi-Region trail that includes read and write management events
Cloud Conformity: CloudTrail Enabled
Internal: dec-z-3ba226c7

Similar Internal Rules

Rule	Policies	Flags
✉️ dec-z-3ba226c7	1

Description

Open File

Description

AWS CloudTrail is a web service that records AWS API calls for your account and delivers log files to you. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. CloudTrail provides a history of AWS API calls for an account, including API calls made via the Management Console, SDKs, command line tools, and higher-level AWS services (such as CloudFormation).

Rationale

The AWS API call history produced by CloudTrail enables security analysis, resource change tracking, and compliance auditing. Additionally:

Ensuring that a multi-region trail exists helps detect unexpected activity in otherwise unused regions.

Ensuring that a multi-region trail exists ensures Global Service Logging is enabled by default to capture events generated by AWS global services.

For a multi-region trail, ensuring that management events are configured for both read and write operations ensures recording of management operations performed on all resources in an AWS account.

... see more

Remediation

Open File

Remediation

Perform the following to enable global (Multi-region) CloudTrail logging:

From Console

Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/cloudtrail.

Click on Trails on the left navigation pane.

Click Get Started Now, if presented.

Click Add new trail.

Enter a trail name in the Trail name box.

A trail created in the console is a multi-region trail by default.

Specify an S3 bucket name in the S3 bucket box.

Specify the AWS KMS alias under the Log file SSE-KMS encryption section or create a new key.

Click Next.

Ensure Management events check box is selected.

Ensure both Read and Write are check under API activity.

Click Next.

Review your trail settings and click Create trail.

From Command Line

Create a multi-region trail:
aws cloudtrail create-trail \
    --name {{trail-name}} \
    --bucket-name {{s3-bucket-name}} \
    --is-multi-region-trail
Enable multi-region on an existing trail:

... see more

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Compliance
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [CloudTrail.1] CloudTrail should be enabled and configured with at least one multi-Region trail that includes read and write management events		1	1	no data
💼 CIS AWS v1.2.0 → 💼 2.1 Ensure CloudTrail is enabled in all regions			1	no data
💼 CIS AWS v1.3.0 → 💼 3.1 Ensure CloudTrail is enabled in all regions		1	1	no data
💼 CIS AWS v1.4.0 → 💼 3.1 Ensure CloudTrail is enabled in all regions		1	1	no data
💼 CIS AWS v1.5.0 → 💼 3.1 Ensure CloudTrail is enabled in all regions - Level 1 (Automated)		1	1	no data
💼 CIS AWS v2.0.0 → 💼 3.1 Ensure CloudTrail is enabled in all regions - Level 1 (Automated)		1	1	no data
💼 CIS AWS v3.0.0 → 💼 3.1 Ensure CloudTrail is enabled in all regions - Level 1 (Automated)		1	1	no data
💼 CIS AWS v4.0.0 → 💼 3.1 Ensure CloudTrail is enabled in all regions (Automated)			1	no data
💼 CIS AWS v4.0.1 → 💼 3.1 Ensure CloudTrail is enabled in all regions (Automated)			1	no data
💼 CIS AWS v5.0.0 → 💼 3.1 Ensure CloudTrail is enabled in all regions (Manual)			1	no data
💼 CIS AWS v6.0.0 → 💼 4.1 Ensure CloudTrail is enabled in all regions (Manual)			1	no data
💼 Cloudaware Framework → 💼 Logging and Monitoring Configuration			77	no data
💼 FedRAMP High Security Controls → 💼 AC-2(4) Automated Audit Actions (M)(H)			21	no data
💼 FedRAMP High Security Controls → 💼 AC-6(9) Log Use of Privileged Functions (M)(H)		7	31	no data
💼 FedRAMP High Security Controls → 💼 AU-2 Event Logging (L)(M)(H)			26	no data
💼 FedRAMP High Security Controls → 💼 AU-3 Content of Audit Records (L)(M)(H)	1		37	no data
💼 FedRAMP High Security Controls → 💼 AU-6(3) Correlate Audit Record Repositories (M)(H)			16	no data
💼 FedRAMP High Security Controls → 💼 AU-6(4) Central Review and Analysis (H)			16	no data
💼 FedRAMP High Security Controls → 💼 AU-10 Non-repudiation (H)			15	no data
💼 FedRAMP High Security Controls → 💼 AU-12 Audit Record Generation (L)(M)(H)	2		73	no data
💼 FedRAMP High Security Controls → 💼 CA-7 Continuous Monitoring (L)(M)(H)	2		27	no data
💼 FedRAMP High Security Controls → 💼 CM-3 Configuration Change Control (M)(H)	4		41	no data
💼 FedRAMP High Security Controls → 💼 SI-4(20) Privileged Users (H)		48	56	no data
💼 FedRAMP Low Security Controls → 💼 AU-2 Event Logging (L)(M)(H)			26	no data
💼 FedRAMP Low Security Controls → 💼 AU-3 Content of Audit Records (L)(M)(H)			23	no data
💼 FedRAMP Low Security Controls → 💼 AU-12 Audit Record Generation (L)(M)(H)			73	no data
💼 FedRAMP Low Security Controls → 💼 CA-7 Continuous Monitoring (L)(M)(H)	1		27	no data
💼 FedRAMP Moderate Security Controls → 💼 AC-2(4) Automated Audit Actions (M)(H)			21	no data
💼 FedRAMP Moderate Security Controls → 💼 AC-6(9) Log Use of Privileged Functions (M)(H)			31	no data
💼 FedRAMP Moderate Security Controls → 💼 AU-2 Event Logging (L)(M)(H)			26	no data
💼 FedRAMP Moderate Security Controls → 💼 AU-3 Content of Audit Records (L)(M)(H)	1		37	no data
💼 FedRAMP Moderate Security Controls → 💼 AU-6(3) Correlate Audit Record Repositories (M)(H)			16	no data
💼 FedRAMP Moderate Security Controls → 💼 AU-12 Audit Record Generation (L)(M)(H)			73	no data
💼 FedRAMP Moderate Security Controls → 💼 CA-7 Continuous Monitoring (L)(M)(H)	2		27	no data
💼 FedRAMP Moderate Security Controls → 💼 CM-3 Configuration Change Control (M)(H)	2		24	no data
💼 NIST CSF v2.0 → 💼 DE.AE-02: Potentially adverse events are analyzed to better understand associated activities			50	no data
💼 NIST CSF v2.0 → 💼 DE.AE-03: Information is correlated from multiple sources			65	no data
💼 NIST CSF v2.0 → 💼 DE.CM-01: Networks and network services are monitored to find potentially adverse events			180	no data
💼 NIST CSF v2.0 → 💼 DE.CM-02: The physical environment is monitored to find potentially adverse events			27	no data
💼 NIST CSF v2.0 → 💼 DE.CM-03: Personnel activity and technology usage are monitored to find potentially adverse events			100	no data
💼 NIST CSF v2.0 → 💼 DE.CM-06: External service provider activities and services are monitored to find potentially adverse events			50	no data
💼 NIST CSF v2.0 → 💼 DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events			181	no data
💼 NIST CSF v2.0 → 💼 ID.IM-01: Improvements are identified from evaluations			45	no data
💼 NIST CSF v2.0 → 💼 ID.IM-02: Improvements are identified from security tests and exercises, including those done in coordination with suppliers and relevant third parties			59	no data
💼 NIST CSF v2.0 → 💼 ID.IM-03: Improvements are identified from execution of operational processes, procedures, and activities			60	no data
💼 NIST CSF v2.0 → 💼 ID.RA-01: Vulnerabilities in assets are identified, validated, and recorded			46	no data
💼 NIST CSF v2.0 → 💼 ID.RA-07: Changes and exceptions are managed, assessed for risk impact, recorded, and tracked			49	no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-2(4) Account Management _ Automated Audit Actions		14	21	no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-4(26) Information Flow Enforcement _ Audit Filtering Actions			17	no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-6(9) Least Privilege _ Log Use of Privileged Functions		17	24	no data
💼 NIST SP 800-53 Revision 5 → 💼 AU-2 Event Logging	4		26	no data
💼 NIST SP 800-53 Revision 5 → 💼 AU-3 Content of Audit Records	3	13	37	no data
💼 NIST SP 800-53 Revision 5 → 💼 AU-6(3) Audit Record Review, Analysis, and Reporting _ Correlate Audit Record Repositories			16	no data
💼 NIST SP 800-53 Revision 5 → 💼 AU-6(4) Audit Record Review, Analysis, and Reporting _ Central Review and Analysis			16	no data
💼 NIST SP 800-53 Revision 5 → 💼 AU-10 Non-repudiation	5		15	no data
💼 NIST SP 800-53 Revision 5 → 💼 AU-12 Audit Record Generation	4	47	73	no data
💼 NIST SP 800-53 Revision 5 → 💼 AU-14(1) Session Audit _ System Start-up			1	no data
💼 NIST SP 800-53 Revision 5 → 💼 CA-7 Continuous Monitoring	6		27	no data
💼 NIST SP 800-53 Revision 5 → 💼 CM-3 Configuration Change Control	8	17	41	no data
💼 NIST SP 800-53 Revision 5 → 💼 SA-8(22) Security and Privacy Engineering Principles _ Accountability and Traceability			1	no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-7(9) Boundary Protection _ Restrict Threatening Outgoing Communications Traffic			34	no data
💼 NIST SP 800-53 Revision 5 → 💼 SI-3(8) Malicious Code Protection _ Detect Unauthorized Commands			12	no data
💼 NIST SP 800-53 Revision 5 → 💼 SI-4(20) System Monitoring _ Privileged Users			11	no data
💼 NIST SP 800-53 Revision 5 → 💼 SI-7(8) Software, Firmware, and Information Integrity _ Auditing Capability for Significant Events			16	no data

Logic​

Similar Policies​

Similar Internal Rules​

Description​

Description​

Rationale​

Remediation​

Remediation​

From Console​

From Command Line​

policy.yaml​

Linked Framework Sections​

Logic

Similar Policies

Similar Internal Rules

Description

Description

Rationale

Remediation

Remediation

From Console

From Command Line

policy.yaml

Linked Framework Sections