Open menu
-->

Enable AWS CloudTrail multi-region API logging

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Security

Risk level: High (not acceptable risk)

Ensure that CloudTrail is enabled for all AWS regions in order to increase the visibility of the API activity in your AWS account for security and management purposes.

This rule resolution is part of the Cloud Conformity Base Auditing Package

Enabling global monitoring for your existing trails will help you to better manage your AWS account and maintain the security of you infrastructure. Applying your trail to all AWS regions has multiple advantages, such as receiving storing log files from all regions in a single S3 bucket and a single CloudWatch Logs group. It also enables managing trail configuration for all regions from one location and recording of API calls in regions that are not used to detect any unusual activity.

Audit

To determine if your CloudTrail trails are applied to all AWS regions, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to CloudTrail dashboard at https://console.aws.amazon.com/cloudtrail/.

03 In the left navigation panel, select Trails.

04 Under Name column, select the trail name that you need to examine.

05 Under the trail name check for the Apply trail to all regions status:

Apply trail to all regions status set to no

If the feature status is set to No, the selected trail is not currently enabled to receive log files from all AWS regions.

Using AWS CLI

01 Run describe-trails command (OSX/Linux/UNIX) to list all trails available in the selected AWS region:

aws cloudtrail describe-trails

02The command output should expose each AWS CloudTrail trail and its configuration details. If IsMultiRegionTrail config parameter value is false, the selected trail is not currently enabled for all AWS regions:

{
    "trailList": [
        {
            "IncludeGlobalServiceEvents": true,
            "Name": "MyGlobalTrail",
            "TrailARN": "arn:aws:cloudtrail:us-east-1:
                         123456789012:trail/MyGlobalTrail",
            "LogFileValidationEnabled": false,
            "IsMultiRegionTrail": false,
            "S3BucketName": "cloudtrail-global-logging",
            "HomeRegion": "us-east-1"
        }
    ]
}

Remediation / Resolution

To enable multi-region logging for your CloudTrail trails, you need to perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to CloudTrail dashboard at https://console.aws.amazon.com/cloudtrail/.

03 In the left navigation panel, select Trails.

04 Under Name column, select the trail name that you need to update.

05 Under the trail name, search for the Apply trail to all regions status and click the pencil icon next to the status current value.

06 Select Yes to enable the feature and click Save:

Select Yes to enable the feature and click Save

The selected trail is now replicated across all regions.

Using AWS CLI

01 Run describe-trails command (OSX/Linux/UNIX) to list all CloudTrail trails available in the selected AWS region and their configuration details (name, ARN, bucket name, etc):

aws cloudtrail describe-trails

02 Run update-trail command (OSX/Linux/UNIX) using the selected trail name to update its configuration and enable multi-region logging:

aws cloudtrail update-trail
	--name MyGlobalTrail
	--is-multi-region-trail

03The command output should return the new configuration details for the selected trail. Once the feature is enabled, the IsMultiRegionTrail config parameter value is set to true:

{
    "trailList": [
        {
            "IncludeGlobalServiceEvents": true,
            "Name": "MyCloudTrail",
            "TrailARN": "arn:aws:cloudtrail:us-east-1:
                         123456789012:trail/MyCloudTrail",
            "LogFileValidationEnabled": false,
            "IsMultiRegionTrail": true,
            "S3BucketName": "cloudtrail-global-logging",
            "HomeRegion": "us-east-1"
        }
    ]
}

References

Publication date Apr 12, 2016