Ensure that the log files generated by your AWS CloudTrail trails are delivered without any failures to designated recipients in order to keep CloudTrail logging data for security and compliance audits.
This rule can help you with the following compliance standards:
- APRA
- MAS
- NIST4
For further details on compliance standards supported by Conformity, see here.
This rule can help you work with the AWS Well-Architected Framework.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
excellence
When your Amazon CloudTrail trails are not able to deliver log files to their recipients due to delivery errors or misconfigurations (usually involving the access policies that you have in place), the logging data recorded by these trails cannot be saved and used for future security audits.
Audit
Case A: to identify CloudTrail trails that are not able to deliver log files to the designated S3 bucket(s), perform the following actions:
Case B: to identify CloudTrail trails that are not able to send SNS notifications, perform the following actions:
Remediation / Resolution
Case A: Usually, the CloudTrail trails fail to deliver their log files when there is a problem with the destination S3 bucket and will not occur for timeouts. To remediate the issue, create a new S3 bucket and update the trail configuration to reference the new bucket so that CloudTrail can again write log files to S3. To update CloudTrail trails configuration, perform the following:
Case B: When a CloudTrail trail fails to send SNS notifications for log files publishing, it's usually because there is a problem with the designated SNS topic. To resolve the issue, create a new SNS topic and update the trail configuration to point to the new topic so that CloudTrail can send notifications again. To update CloudTrail trails configuration, perform the following actions:
References
- AWS Documentation
- AWS CloudTrail FAQs
- GetTrailStatus
- Error Responses
- Getting and Viewing Your CloudTrail Log Files
- Configuring Amazon SNS Notifications for CloudTrail
- Configuring CloudTrail to Send Notifications
- Updating a Trail
- AWS Command Line Interface (CLI) Documentation
- cloudtrail
- describe-trails
- get-trail-status
- update-subscription
- sns
- subscribe
- confirm-subscription
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

You are auditing:
CloudTrail Delivery Failing
Risk level: Medium