Ensure that your Amazon CloudTrail trails are enabled for all the supported AWS cloud regions in order to increase the visibility of the API activity in your AWS account for security and management purposes.
This rule can help you with the following compliance standards:
- CISAWSF
- PCI
- HIPAA
- GDPR
- APRA
- MAS
- NIST4
For further details on compliance standards supported by Conformity, see here.
This rule can help you work with the AWS Well-Architected Framework.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
Enabling global monitoring for your existing CloudTrail trails will help you to manage better your AWS account and maintain your cloud infrastructure secure. Applying your CloudTrail trail to all AWS regions has multiple advantages such as receiving log files from all regions in a single S3 bucket and a single CloudWatch Logs log group, managing trail configuration for all AWS regions from one location, and record API calls in regions that are not used often in order to detect unusual activity.
Audit
To determine if your Amazon CloudTrail trails are logging events in all AWS regions, perform the following operations:
Remediation / Resolution
To enable multi-region API logging for your Amazon CloudTrail trails, perform the following operations:
Note: Enabling multi-region API logging for Amazon CloudTrail trails using the AWS Management Console is not currently supported.References
- AWS Documentation:
- AWS CloudTrail FAQs
- CloudTrail Concepts
- Creating, updating, and managing trails with the AWS Command Line Interface
- AWS Command Line Interface (CLI) Documentation:
- cloudtrail
- list-trails
- describe-trails
- update-trail