Vulnerabilities
Misconfiguration
Runtime Security
Compliance
AWS > Cloudtrail > Enable All Regions
MEDIUM
Source
Trivy/CSPM
CSPM ID
cloudtrail-enabled
Frameworks

CIS AWS 1.2

ID
AVD-AWS-0014
cloudformation management_console terraform

Cloudtrail should be enabled in all regions regardless of where your AWS resources are generally homed

When creating Cloudtrail in the AWS Management Console the trail is configured by default to be multi-region, this isn’t the case with the Terraform resource. Cloudtrail should cover the full AWS account to ensure you can track changes in regions you are not actively operting in.

Impact

Activity could be happening in your account in a different region

Follow the appropriate remediation steps below to resolve the issue.

Enable Cloudtrail in all regions

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12

---
AWSTemplateFormatVersion: "2010-09-09"
Description: A sample template
Resources:
  BadExample:
    Type: AWS::CloudTrail::Trail
    Properties:
      IsLogging: true
      IsMultiRegionTrail: true     
      S3BucketName: "CloudtrailBucket"
      S3KeyPrefix: "/trailing"
      TrailName: "Cloudtrail"
  1. Log into the AWS Management Console.
  2. Select the “Services” option and search for “CloudTrail”.Step
  3. In the “Dashboard” panel click on “View trails” button.Step
  4. Select the “trail” that needs to be verified under “Name” column.Step
  5. Click the pencil icon to go into “Trail Settings” and verify the checkbox marked against “Apply trail to all regions “. If “No” is selected than create and manage a trail across all regions is not possible.Step
  6. Go to “Trail Settings” and click on “Yes” checkbox to enable the “Apply trail to all regions” which receive the log files containing event history for the new region without taking any action. Click on the “Save” button to make the changes. Step
  7. Scroll down and go to “Additional Configuration” settings and click on the pencil icon to make the changes.Step
  8. Click on the “Yes” checkbox corresponding to the “Include global services” and click on “Save” button to make the changes.Step
  9. CloudTrail is enabled for all regions with global service events now.

Enable Cloudtrail in all regions

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13

resource "aws_cloudtrail" "good_example" {
  is_multi_region_trail = true
  
  event_selector {
    read_write_type           = "All"
    include_management_events = true
    
    data_resource {
      type = "AWS::S3::Object"
      values = ["${data.aws_s3_bucket.important-bucket.arn}/"]
    }
  }
}
Aqua SaaS Plans
The fastest track to get started with Aqua
Start Now
Aqua Security is the largest pure-play cloud native security company, providing customers the freedom to innovate and run their businesses with minimal friction. The Aqua Cloud Native Security Platform provides prevention, detection, and response automation across the entire application lifecycle to secure the build, secure cloud infrastructure and secure running workloads wherever they are deployed.
Copyright © 2022 Aqua Security Software Ltd.   Privacy Policy | Terms of Use