Ensure that all your AWS CloudTrail trails are configured to log Management events in order to record important operations such as EC2 RunInstances, DescribeInstances, TerminateInstances and Console Login (basically all events that are not data events).
Management events are operations that occur when working with AWS resources and recording them is a good security practice. For example, if an IAM user within your organization terminates an EC2 instance that has a crucial role within your application stack, the instance is lost completely and the TerminateInstances event is not recorded so there is no way for the account Administrator to determine who terminated the instance by analyzing the Cloudtrail logs.
To identify any trails that are missing the capability to log Management events, perform the following actions:
To enable Management events for all CloudTrail trails available within your AWS account, perform the following: