How to Find AWS Regions Not Monitored by CloudTrail

AWS CloudTrail is a web service that records AWS API calls for your account and delivers log files to you. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service.

info

This security check is part of the CIS Amazon Web Services Benchmarks and is rated severity high.

Prerequisites

This guide assumes that you have already installed and configured Fix Inventory to collect your AWS resources.

Directions

1. Execute the following search command in Fix Inventory Shell:

   > search is(aws_region) with(empty, -[0:1]-> is(aws_cloud_trail) and trail_status.is_logging==true)
   ​kind=aws_region, ..., region=fixinventory-poweruser
   ​kind=aws_region, ..., account=poweruser-team

2. Pipe the search command into the dump command:

   > search is(aws_region) with(empty, -[0:1]-> is(aws_cloud_trail) and trail_status.is_logging==true) | dump
   ​reported:
   ​  id: /aws/cloudtrail/123
   ​  name: some-name
   ​  ctime: '2022-12-05T22:53:14Z'
   ​  kind: aws_region
   ​  age: 2mo28d

   The command output will list the details of all non-compliant aws_region resources.

Remediation

= Ensure there is one trail in every region with logging enabled. Consider using multi account / multi region trails for your organization.

note

Please refer to the AWS CloudTrail documentation for details.

Further Reading

• Search
• Command-Line Interface
• aws_region Resource Data Model

External Links

• CIS Amazon Web Services Benchmarks
• AWS Documentation