How to Find AWS Regions Not Monitored by CloudTrail
AWS CloudTrail is a web service that records AWS API calls for your account and delivers log files to you. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service.
This security check is part of the CIS Amazon Web Services Benchmarks and is rated severity high.
> search is(aws_region) with(empty, -[0:1]-> is(aws_cloud_trail) and trail_status.is_logging==true)
kind=aws_region, ..., region=resoto-poweruser
kind=aws_region, ..., account=poweruser-team
searchcommand into the
> search is(aws_region) with(empty, -[0:1]-> is(aws_cloud_trail) and trail_status.is_logging==true) | dump
The command output will list the details of all non-compliant
= Ensure there is one trail in every region with logging enabled. Consider using multi account / multi region trails for your organization.
Please refer to the AWS CloudTrail documentation for details.