Logo of Trend Micro

CloudTrail Enabled

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: High (not acceptable risk)
Rule ID: CT-001

Ensure that CloudTrail is enabled for all AWS regions in order to increase the visibility of the API activity in your AWS account for security and management purposes.

This rule can help you with the following compliance standards:

This rule can help you work with the AWS Well-Architected Framework

This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS

Security

Enabling global monitoring for your existing trails will help you to better manage your AWS account and maintain the security of you infrastructure. Applying your trail to all AWS regions has multiple advantages, such as receiving storing log files from all regions in a single S3 bucket and a single CloudWatch Logs group. It also enables managing trail configuration for all regions from one location and recording of API calls in regions that are not used to detect any unusual activity.

Audit

To determine if your CloudTrail trails are applied to all AWS regions, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to CloudTrail dashboard at https://console.aws.amazon.com/cloudtrail/.

03 In the left navigation panel, select Trails.

04 Under Name column, select the trail name that you need to examine.

05 Under the trail name check for the Apply trail to all regions status:

Apply trail to all regions status set to no

If the feature status is set to No, the selected trail is not currently enabled to receive log files from all AWS regions.

Using AWS CLI

01 Run describe-trails command (OSX/Linux/UNIX) to list all trails available in the selected AWS region: 

aws cloudtrail describe-trails

02The command output should expose each AWS CloudTrail trail and its configuration details. If IsMultiRegionTrail config parameter value is false, the selected trail is not currently enabled for all AWS regions: 

{
    "trailList": [
        {
            "IncludeGlobalServiceEvents": true,
            "Name": "MyGlobalTrail",
            "TrailARN": "arn:aws:cloudtrail:us-east-1:
                         123456789012:trail/MyGlobalTrail",
            "LogFileValidationEnabled": false,
            "IsMultiRegionTrail": false,
            "S3BucketName": "cloudtrail-global-logging",
            "HomeRegion": "us-east-1"
        }
    ]
}

Remediation / Resolution

To enable multi-region logging for your CloudTrail trails, you need to perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to CloudTrail dashboard at https://console.aws.amazon.com/cloudtrail/.

03 In the left navigation panel, select Trails.

04 Under Name column, select the trail name that you need to update.

05 Under the trail name, search for the Apply trail to all regions status and click the pencil icon next to the status current value.

06 Select Yes to enable the feature and click Save:

Select Yes to enable the feature and click Save

The selected trail is now replicated across all regions.

Using AWS CLI

01 Run describe-trails command (OSX/Linux/UNIX) to list all CloudTrail trails available in the selected AWS region and their configuration details (name, ARN, bucket name, etc): 

aws cloudtrail describe-trails

02 Run update-trail command (OSX/Linux/UNIX) using the selected trail name to update its configuration and enable multi-region logging: 

aws cloudtrail update-trail
	--name MyGlobalTrail
	--is-multi-region-trail

03The command output should return the new configuration details for the selected trail. Once the feature is enabled, the IsMultiRegionTrail config parameter value is set to true: 

{
    "trailList": [
        {
            "IncludeGlobalServiceEvents": true,
            "Name": "MyCloudTrail",
            "TrailARN": "arn:aws:cloudtrail:us-east-1:
                         123456789012:trail/MyCloudTrail",
            "LogFileValidationEnabled": false,
            "IsMultiRegionTrail": true,
            "S3BucketName": "cloudtrail-global-logging",
            "HomeRegion": "us-east-1"
        }
    ]
}

References

Publication date Apr 12, 2016

Related CloudTrail rules

Unlock the Remediation Steps

Gain free unlimited access
to our full Knowledge Base

Over 750 rules & best practices
for AWS and Azure

You are auditing:

CloudTrail Enabled

Risk level: High