Vulnerabilities
Misconfiguration
Runtime Security
Compliance
AWS > Cloudtrail >

Enable All Regions

MEDIUM
Source
Trivy/CSPM
CSPM ID
cloudtrail-enabled
Frameworks

CIS AWS 1.2

ID
AVD-AWS-0014
cloudformation management_console terraform

Cloudtrail should be enabled in all regions regardless of where your AWS resources are generally homed

Activity could be happening in your account in a different region. When creating Cloudtrail in the AWS Management Console the trail is configured by default to be multi-region, this isn’t the case with the Terraform resource. Cloudtrail should cover the full AWS account to ensure you can track changes in regions you are not actively operting in.

Impact

Follow the appropriate remediation steps below to resolve the issue.

Enable Cloudtrail in all regions

1
2
3
4
5
6
7
8
9

Resources:
  GoodExample:
    Type: AWS::CloudTrail::Trail
    Properties:
      IsLogging: true
      IsMultiRegionTrail: true
      S3BucketName: CloudtrailBucket
      S3KeyPrefix: /trailing
      TrailName: Cloudtrail

  1. Log into the AWS Management Console.

  2. Select the “Services” option and search for “CloudTrail”.Step

  3. In the “Dashboard” panel click on “View trails” button.Step

  4. Select the “trail” that needs to be verified under “Name” column.Step

  5. Click the pencil icon to go into “Trail Settings” and verify the checkbox marked against “Apply trail to all regions “. If “No” is selected than create and manage a trail across all regions is not possible.Step

  6. Go to “Trail Settings” and click on “Yes” checkbox to enable the “Apply trail to all regions” which receive the log files containing event history for the new region without taking any action. Click on the “Save” button to make the changes. Step

  7. Scroll down and go to “Additional Configuration” settings and click on the pencil icon to make the changes.Step

  8. Click on the “Yes” checkbox corresponding to the “Include global services” and click on “Save” button to make the changes.Step

  9. CloudTrail is enabled for all regions with global service events now.

Enable Cloudtrail in all regions

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13

resource "aws_cloudtrail" "good_example" {
  is_multi_region_trail = true

  event_selector {
    read_write_type           = "All"
    include_management_events = true

    data_resource {
      type   = "AWS::S3::Object"
      values = ["${data.aws_s3_bucket.important-bucket.arn}/"]
    }
  }
}
Aqua Security is the largest pure-play cloud native security company, providing customers the freedom to innovate and run their businesses with minimal friction. The Aqua Cloud Native Security Platform provides prevention, detection, and response automation across the entire application lifecycle to secure the build, secure cloud infrastructure and secure running workloads wherever they are deployed.
Copyright © 2024 Aqua Security Software Ltd.   Privacy Policy | Terms of Use