How to Find AWS Regions Not Monitored by CloudTrail
AWS CloudTrail is a web service that records AWS API calls for your account and delivers log files to you. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service.
This security check is part of the CIS Amazon Web Services Benchmarks and is rated severity high.
Prerequisites​
This guide assumes that you have already installed and configured Fix Inventory to collect your AWS resources.
Directions​
-
Execute the following
search
command in Fix Inventory Shell:> search is(aws_region) with(empty, -[0:1]-> is(aws_cloud_trail) and trail_status.is_logging==true)
​kind=aws_region, ..., region=fixinventory-poweruser
​kind=aws_region, ..., account=poweruser-team -
Pipe the
search
command into thedump
command:> search is(aws_region) with(empty, -[0:1]-> is(aws_cloud_trail) and trail_status.is_logging==true) | dump
​reported:
​ id: /aws/cloudtrail/123
​ name: some-name
​ ctime: '2022-12-05T22:53:14Z'
​ kind: aws_region
​ age: 2mo28dThe command output will list the details of all non-compliant
aws_region
resources.
Remediation​
= Ensure there is one trail in every region with logging enabled. Consider using multi account / multi region trails for your organization.
Please refer to the AWS CloudTrail documentation for details.