cloudtrail
Checks
-
enable-all-regions Cloudtrail should be enabled in all regions regardless of where your AWS resources are generally homed
-
enable-at-rest-encryption Cloudtrail should be encrypted at rest to secure access to sensitive trail data
-
enable-log-validation Cloudtrail log validation should be enabled to prevent tampering of log data
-
ensure-cloudwatch-integration CloudTrail logs should be stored in S3 and also sent to CloudWatch Logs
-
no-public-log-access The S3 Bucket backing Cloudtrail should be private
-
require-bucket-access-logging You should enable bucket access logging on the CloudTrail S3 bucket.