Skip to content

Cloudtrail should be enabled in all regions regardless of where your AWS resources are generally homed

Default Severity: medium

Explanation

When creating Cloudtrail in the AWS Management Console the trail is configured by default to be multi-region, this isn't the case with the Terraform resource. Cloudtrail should cover the full AWS account to ensure you can track changes in regions you are not actively operting in.

Possible Impact

Activity could be happening in your account in a different region

Suggested Resolution

Enable Cloudtrail in all regions

Insecure Example

The following example will fail the aws-cloudtrail-enable-all-regions check.

 resource "aws_cloudtrail" "bad_example" {
   event_selector {
     read_write_type           = "All"
     include_management_events = true

     data_resource {
       type = "AWS::S3::Object"
       values = ["${data.aws_s3_bucket.important-bucket.arn}/"]
     }
   }
 }

Secure Example

The following example will pass the aws-cloudtrail-enable-all-regions check.

 resource "aws_cloudtrail" "good_example" {
   is_multi_region_trail = true

   event_selector {
     read_write_type           = "All"
     include_management_events = true

     data_resource {
       type = "AWS::S3::Object"
       values = ["${data.aws_s3_bucket.important-bucket.arn}/"]
     }
   }
 }