📝 AWS Account Multi-Region CloudTrail is not enabled 🟢

• Contextual name: 📝 Multi-Region CloudTrail is not enabled 🟢
• ID: /ce/ca/aws/account/multi-region-cloudtrail
• Located in: 📁 AWS Account

Flags

• 🟢 Policy with categories
• 🟢 Policy with type
• 🟢 Production policy

Our Metadata

• Policy Type: COMPLIANCE_POLICY
• Policy Category:
  • SECURITY
  • RELIABILITY

Similar Policies

• Cloud Conformity
  • CloudTrail Enabled
• Internal
  • dec-z-3f480eb5

Similar Internal Rules

Rule	Policies	Flags
✉️ dec-z-3f480eb5	1

Logic

• 🧠 prod.logic.yaml 🟢
  • 📕 AWS Account
  • 🔌 AWS CloudTrail Trail - object.extracts.yaml
  • 🧪 test-data.json

Description

Open File

Description

AWS CloudTrail is a web service that records AWS API calls for your account and delivers log files to you. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. CloudTrail provides a history of AWS API calls for an account, including API calls made via the Management Console, SDKs, command line tools, and higher-level AWS services (such as CloudFormation).

Rationale

The AWS API call history produced by CloudTrail enables security analysis, resource change tracking, and compliance auditing. Additionally,

• Ensuring that a multi-regions trail exists will ensure that unexpected activity occurring in otherwise unused regions is detected.
• Ensuring that a multi-regions trail exists will ensure that Global Service Logging is enabled for a trail by default to capture recording of events generated on AWS global services.
• For a multi-regions trail, ensuring that management events configured for all type of Read/Writes ensures recording of management operations that are performed on all resources in an AWS account.

... see more

Remediation

Open File

Remediation

Perform the following to enable global (Multi-region) CloudTrail logging:

From Console

1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/cloudtrail.

2. Click on Trails on the left navigation pane.

3. Click Get Started Now, if presented.

• Click Add new trail.

• Enter a trail name in the Trail name box.

• A trail created in the console is a multi-region trail by default.

• Specify an S3 bucket name in the S3 bucket box.

• Specify the AWS KMS alias under the Log file SSE-KMS encryption section or create a new key.

• Click Next.

4. Ensure Management events check box is selected.
5. Ensure both Read and Write are check under API activity.
6. Click Next.
7. Review your trail settings and click Create trail.

From Command Line

Create a multi-region trail:

aws cloudtrail create-trail --name <trail_name> --bucket-name <s3_bucket_for_cloudtrail> --is-multi-region-trail aws cloudtrail update-trail --name <trail_name> --is-multi-region-trail

... [see more](remediation.md)

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags
💼 APRA CPG 234 → 💼 16f information security reporting and analytics;		9	11
💼 APRA CPG 234 → 💼 36j monitoring controls — for timely detection of compromises to information security;		9	11
💼 APRA CPG 234 → 💼 67a network and user profiling that establishes a baseline of normal activity which, when combined with logging and alerting mechanisms, can enable detection of anomalous activity;		18	21
💼 APRA CPG 234 → 💼 h. audit logging and monitoring of access to information assets by all users;		7	8
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [CloudTrail.1] CloudTrail should be enabled and configured with at least one multi-Region trail that includes read and write management events			1
💼 CIS AWS v1.2.0 → 💼 2.1 Ensure CloudTrail is enabled in all regions		1	1
💼 CIS AWS v1.3.0 → 💼 3.1 Ensure CloudTrail is enabled in all regions		1	1
💼 CIS AWS v1.4.0 → 💼 3.1 Ensure CloudTrail is enabled in all regions		1	1
💼 CIS AWS v1.5.0 → 💼 3.1 Ensure CloudTrail is enabled in all regions - Level 1 (Automated)			1
💼 CIS AWS v2.0.0 → 💼 3.1 Ensure CloudTrail is enabled in all regions - Level 1 (Automated)			1
💼 CIS AWS v3.0.0 → 💼 3.1 Ensure CloudTrail is enabled in all regions - Level 1 (Automated)			1
💼 CIS AWS v4.0.0 → 💼 3.1 Ensure CloudTrail is enabled in all regions (Automated)			1
💼 CIS AWS v4.0.1 → 💼 3.1 Ensure CloudTrail is enabled in all regions (Automated)			1
💼 CIS AWS v5.0.0 → 💼 3.1 Ensure CloudTrail is enabled in all regions (Manual)			1
💼 Cloudaware Framework → 💼 Logging and Monitoring Configuration			49
💼 FedRAMP High Security Controls → 💼 AC-2(4) Automated Audit Actions (M)(H)		1	13
💼 FedRAMP High Security Controls → 💼 AC-2(12) Account Monitoring for Atypical Usage (M)(H)		2	2
💼 FedRAMP High Security Controls → 💼 AC-3 Access Enforcement (L)(M)(H)		37	47
💼 FedRAMP High Security Controls → 💼 AC-6(9) Log Use of Privileged Functions (M)(H)		7	23
💼 FedRAMP High Security Controls → 💼 AU-2 Event Logging (L)(M)(H)			6
💼 FedRAMP High Security Controls → 💼 AU-3 Content of Audit Records (L)(M)(H)	1		20
💼 FedRAMP High Security Controls → 💼 AU-6 Audit Record Review, Analysis, and Reporting (L)(M)(H)	6	21	26
💼 FedRAMP High Security Controls → 💼 AU-6(3) Correlate Audit Record Repositories (M)(H)			6
💼 FedRAMP High Security Controls → 💼 AU-6(4) Central Review and Analysis (H)			6
💼 FedRAMP High Security Controls → 💼 AU-9 Protection of Audit Information (L)(M)(H)	3	9	11
💼 FedRAMP High Security Controls → 💼 AU-10 Non-repudiation (H)			5
💼 FedRAMP High Security Controls → 💼 AU-11 Audit Record Retention (L)(M)(H)		17	19
💼 FedRAMP High Security Controls → 💼 AU-12 Audit Record Generation (L)(M)(H)	2		47
💼 FedRAMP High Security Controls → 💼 CA-7 Continuous Monitoring (L)(M)(H)	2		8
💼 FedRAMP High Security Controls → 💼 CM-3 Configuration Change Control (M)(H)	4		21
💼 FedRAMP High Security Controls → 💼 CM-5(1) Automated Access Enforcement and Audit Records (M)(H)		8	9
💼 FedRAMP High Security Controls → 💼 CP-9 System Backup (L)(M)(H)	5	5	6
💼 FedRAMP High Security Controls → 💼 SI-4 System Monitoring (L)(M)(H)	14	48	51
💼 FedRAMP High Security Controls → 💼 SI-4(4) Inbound and Outbound Communications Traffic (M)(H)		7	9
💼 FedRAMP High Security Controls → 💼 SI-4(20) Privileged Users (H)		46	48
💼 FedRAMP Low Security Controls → 💼 AC-3 Access Enforcement (L)(M)(H)			47
💼 FedRAMP Low Security Controls → 💼 AU-2 Event Logging (L)(M)(H)			6
💼 FedRAMP Low Security Controls → 💼 AU-3 Content of Audit Records (L)(M)(H)			6
💼 FedRAMP Low Security Controls → 💼 AU-6 Audit Record Review, Analysis, and Reporting (L)(M)(H)			23
💼 FedRAMP Low Security Controls → 💼 AU-9 Protection of Audit Information (L)(M)(H)			11
💼 FedRAMP Low Security Controls → 💼 AU-11 Audit Record Retention (L)(M)(H)			19
💼 FedRAMP Low Security Controls → 💼 AU-12 Audit Record Generation (L)(M)(H)			47
💼 FedRAMP Low Security Controls → 💼 CA-7 Continuous Monitoring (L)(M)(H)	1		8
💼 FedRAMP Low Security Controls → 💼 CP-9 System Backup (L)(M)(H)			6
💼 FedRAMP Low Security Controls → 💼 SI-4 System Monitoring (L)(M)(H)			7
💼 FedRAMP Moderate Security Controls → 💼 AC-2(4) Automated Audit Actions (M)(H)			13
💼 FedRAMP Moderate Security Controls → 💼 AC-2(12) Account Monitoring for Atypical Usage (M)(H)			2
💼 FedRAMP Moderate Security Controls → 💼 AC-3 Access Enforcement (L)(M)(H)			47
💼 FedRAMP Moderate Security Controls → 💼 AC-6(9) Log Use of Privileged Functions (M)(H)			23
💼 FedRAMP Moderate Security Controls → 💼 AU-2 Event Logging (L)(M)(H)			6
💼 FedRAMP Moderate Security Controls → 💼 AU-3 Content of Audit Records (L)(M)(H)	1		20
💼 FedRAMP Moderate Security Controls → 💼 AU-6 Audit Record Review, Analysis, and Reporting (L)(M)(H)	2		26
💼 FedRAMP Moderate Security Controls → 💼 AU-6(3) Correlate Audit Record Repositories (M)(H)			6
💼 FedRAMP Moderate Security Controls → 💼 AU-9 Protection of Audit Information (L)(M)(H)	1		11
💼 FedRAMP Moderate Security Controls → 💼 AU-11 Audit Record Retention (L)(M)(H)			19
💼 FedRAMP Moderate Security Controls → 💼 AU-12 Audit Record Generation (L)(M)(H)			47
💼 FedRAMP Moderate Security Controls → 💼 CA-7 Continuous Monitoring (L)(M)(H)	2		8
💼 FedRAMP Moderate Security Controls → 💼 CM-3 Configuration Change Control (M)(H)	2		17
💼 FedRAMP Moderate Security Controls → 💼 CM-5(1) Automated Access Enforcement and Audit Records (M)(H)			9
💼 FedRAMP Moderate Security Controls → 💼 CP-9 System Backup (L)(M)(H)	2		6
💼 FedRAMP Moderate Security Controls → 💼 SI-4 System Monitoring (L)(M)(H)	7		9
💼 FedRAMP Moderate Security Controls → 💼 SI-4(4) Inbound and Outbound Communications Traffic (M)(H)			9
💼 GDPR → 💼 Art. 30 Records of processing activities		3	4
💼 ISO/IEC 27001:2013 → 💼 A.12.4.1 Event logging		16	18
💼 ISO/IEC 27001:2013 → 💼 A.12.4.2 Protection of log information		2	2
💼 ISO/IEC 27001:2013 → 💼 A.12.4.3 Administrator and operator logs		8	9
💼 ISO/IEC 27001:2013 → 💼 A.17.2.1 Availability of information processing facilities		1	1
💼 ISO/IEC 27001:2013 → 💼 A.18.1.3 Protection of records		2	2
💼 NIST CSF v1.1 → 💼 DE.AE-1: A baseline of network operations and expected data flows for users and systems is established and managed		10	11
💼 NIST CSF v1.1 → 💼 DE.AE-2: Detected events are analyzed to understand attack targets and methods		19	22
💼 NIST CSF v1.1 → 💼 DE.AE-3: Event data are collected and correlated from multiple sources and sensors		19	22
💼 NIST CSF v1.1 → 💼 DE.AE-4: Impact of events is determined		14	14
💼 NIST CSF v1.1 → 💼 DE.CM-1: The network is monitored to detect potential cybersecurity events		19	28
💼 NIST CSF v1.1 → 💼 DE.CM-3: Personnel activity is monitored to detect potential cybersecurity events		21	24
💼 NIST CSF v1.1 → 💼 DE.CM-5: Unauthorized mobile code is detected		11	11
💼 NIST CSF v1.1 → 💼 DE.CM-6: External service provider activity is monitored to detect potential cybersecurity events		7	7
💼 NIST CSF v1.1 → 💼 DE.CM-7: Monitoring for unauthorized personnel, connections, devices, and software is performed		19	23
💼 NIST CSF v1.1 → 💼 DE.DP-2: Detection activities comply with all applicable requirements		7	7
💼 NIST CSF v1.1 → 💼 DE.DP-3: Detection processes are tested		14	14
💼 NIST CSF v1.1 → 💼 DE.DP-4: Event detection information is communicated		30	33
💼 NIST CSF v1.1 → 💼 DE.DP-5: Detection processes are continuously improved		14	16
💼 NIST CSF v1.1 → 💼 ID.BE-4: Dependencies and critical functions for delivery of critical services are established			4
💼 NIST CSF v1.1 → 💼 ID.BE-5: Resilience requirements to support delivery of critical services are established for all operating states (e.g. under duress/attack, during recovery, normal operations)		4	4
💼 NIST CSF v1.1 → 💼 ID.GV-3: Legal and regulatory requirements regarding cybersecurity, including privacy and civil liberties obligations, are understood and managed		2	2
💼 NIST CSF v1.1 → 💼 ID.RA-1: Asset vulnerabilities are identified and documented		14	15
💼 NIST CSF v1.1 → 💼 ID.SC-4: Suppliers and third-party partners are routinely assessed using audits, test results, or other forms of evaluations to confirm they are meeting their contractual obligations		16	19
💼 NIST CSF v1.1 → 💼 PR.DS-4: Adequate capacity to ensure availability is maintained		1	1
💼 NIST CSF v1.1 → 💼 PR.IP-4: Backups of information are conducted, maintained, and tested		5	5
💼 NIST CSF v1.1 → 💼 PR.IP-8: Effectiveness of protection technologies is shared		7	7
💼 NIST CSF v1.1 → 💼 PR.PT-1: Audit/log records are determined, documented, implemented, and reviewed in accordance with policy		17	20
💼 NIST CSF v1.1 → 💼 PR.PT-5: Mechanisms (e.g., failsafe, load balancing, hot swap) are implemented to achieve resilience requirements in normal and adverse situations		4	4
💼 NIST CSF v1.1 → 💼 RS.AN-1: Notifications from detection systems are investigated		19	22
💼 NIST CSF v1.1 → 💼 RS.CO-2: Incidents are reported consistent with established criteria		20	23
💼 NIST CSF v2.0 → 💼 DE.AE-02: Potentially adverse events are analyzed to better understand associated activities			26
💼 NIST CSF v2.0 → 💼 DE.AE-03: Information is correlated from multiple sources			26
💼 NIST CSF v2.0 → 💼 DE.AE-04: The estimated impact and scope of adverse events are understood			14
💼 NIST CSF v2.0 → 💼 DE.AE-06: Information on adverse events is provided to authorized staff and tools			33
💼 NIST CSF v2.0 → 💼 DE.AE-07: Cyber threat intelligence and other contextual information are integrated into the analysis			22
💼 NIST CSF v2.0 → 💼 DE.CM-01: Networks and network services are monitored to find potentially adverse events			83
💼 NIST CSF v2.0 → 💼 DE.CM-02: The physical environment is monitored to find potentially adverse events			8
💼 NIST CSF v2.0 → 💼 DE.CM-03: Personnel activity and technology usage are monitored to find potentially adverse events			59
💼 NIST CSF v2.0 → 💼 DE.CM-06: External service provider activities and services are monitored to find potentially adverse events			27
💼 NIST CSF v2.0 → 💼 DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events			89
💼 NIST CSF v2.0 → 💼 GV.OC-03: Legal, regulatory, and contractual requirements regarding cybersecurity - including privacy and civil liberties obligations - are understood and managed			2
💼 NIST CSF v2.0 → 💼 GV.OC-04: Critical objectives, capabilities, and services that external stakeholders depend on or expect from the organization are understood and communicated			4
💼 NIST CSF v2.0 → 💼 GV.OC-05: Outcomes, capabilities, and services that the organization depends on are understood and communicated			4
💼 NIST CSF v2.0 → 💼 GV.SC-07: The risks posed by a supplier, their products and services, and other third parties are understood, recorded, prioritized, assessed, responded to, and monitored over the course of the relationship			26
💼 NIST CSF v2.0 → 💼 ID.AM-03: Representations of the organization's authorized network communication and internal and external network data flows are maintained			31
💼 NIST CSF v2.0 → 💼 ID.IM-01: Improvements are identified from evaluations			10
💼 NIST CSF v2.0 → 💼 ID.IM-02: Improvements are identified from security tests and exercises, including those done in coordination with suppliers and relevant third parties			23
💼 NIST CSF v2.0 → 💼 ID.IM-03: Improvements are identified from execution of operational processes, procedures, and activities			24
💼 NIST CSF v2.0 → 💼 ID.RA-01: Vulnerabilities in assets are identified, validated, and recorded			22
💼 NIST CSF v2.0 → 💼 ID.RA-07: Changes and exceptions are managed, assessed for risk impact, recorded, and tracked			24
💼 NIST CSF v2.0 → 💼 ID.RA-10: Critical suppliers are assessed prior to acquisition			26
💼 NIST CSF v2.0 → 💼 PR.DS-11: Backups of data are created, protected, maintained, and tested			6
💼 NIST CSF v2.0 → 💼 PR.IR-03: Mechanisms are implemented to achieve resilience requirements in normal and adverse situations			5
💼 NIST CSF v2.0 → 💼 PR.IR-04: Adequate resource capacity to ensure availability is maintained			1
💼 NIST CSF v2.0 → 💼 RC.CO-04: Public updates on incident recovery are shared using approved methods and messaging			23
💼 NIST CSF v2.0 → 💼 RS.CO-02: Internal and external stakeholders are notified of incidents			30
💼 NIST CSF v2.0 → 💼 RS.MA-02: Incident reports are triaged and validated			22
💼 NIST SP 800-53 Revision 4 → 💼 AU-11 AUDIT RECORD RETENTION	1	1	1
💼 NIST SP 800-53 Revision 5 → 💼 AC-2(4) Account Management _ Automated Audit Actions		11	13
💼 NIST SP 800-53 Revision 5 → 💼 AC-4(26) Information Flow Enforcement _ Audit Filtering Actions			7
💼 NIST SP 800-53 Revision 5 → 💼 AC-6(9) Least Privilege _ Log Use of Privileged Functions		15	16
💼 NIST SP 800-53 Revision 5 → 💼 AU-2 Event Logging	4		6
💼 NIST SP 800-53 Revision 5 → 💼 AU-3 Content of Audit Records	3	13	20
💼 NIST SP 800-53 Revision 5 → 💼 AU-6(3) Audit Record Review, Analysis, and Reporting _ Correlate Audit Record Repositories			6
💼 NIST SP 800-53 Revision 5 → 💼 AU-6(4) Audit Record Review, Analysis, and Reporting _ Central Review and Analysis			6
💼 NIST SP 800-53 Revision 5 → 💼 AU-10 Non-repudiation	5		5
💼 NIST SP 800-53 Revision 5 → 💼 AU-12 Audit Record Generation	4	45	47
💼 NIST SP 800-53 Revision 5 → 💼 AU-14(1) Session Audit _ System Start-up			1
💼 NIST SP 800-53 Revision 5 → 💼 CA-7 Continuous Monitoring	6		8
💼 NIST SP 800-53 Revision 5 → 💼 CM-3 Configuration Change Control	8	15	21
💼 NIST SP 800-53 Revision 5 → 💼 SA-8(22) Security and Privacy Engineering Principles _ Accountability and Traceability			1
💼 NIST SP 800-53 Revision 5 → 💼 SC-7(9) Boundary Protection _ Restrict Threatening Outgoing Communications Traffic			7
💼 NIST SP 800-53 Revision 5 → 💼 SI-3(8) Malicious Code Protection _ Detect Unauthorized Commands			3
💼 NIST SP 800-53 Revision 5 → 💼 SI-4(20) System Monitoring _ Privileged Users			3
💼 NIST SP 800-53 Revision 5 → 💼 SI-7(8) Software, Firmware, and Information Integrity _ Auditing Capability for Significant Events			6
💼 PCI DSS v3.2.1 → 💼 10.2.3 Access to all audit trails.		1	1
💼 PCI DSS v3.2.1 → 💼 10.5 Secure audit trails so they cannot be altered.	5	2	4
💼 PCI DSS v3.2.1 → 💼 10.5.2 Protect audit trail files from unauthorized modifications.		2	4
💼 PCI DSS v4.0.1 → 💼 10.2.1.3 Audit logs capture all access to audit logs.			1
💼 PCI DSS v4.0.1 → 💼 10.3.2 Audit log files are protected to prevent modifications by individuals.			4
💼 PCI DSS v4.0 → 💼 10.2.1.3 Audit logs capture all access to audit logs.			1
💼 PCI DSS v4.0 → 💼 10.3.2 Audit log files are protected to prevent modifications by individuals.			4