Ensure that the log files generated by your AWS CloudTrail trails are delivered without any failures to designated recipients in order to keep CloudTrail logging data for security and compliance audits.
This rule can help you with the following compliance standards:
This rule can help you work with the AWS Well-Architected Framework
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
When your Amazon CloudTrail trails are not able to deliver log files to their recipients due to delivery errors or misconfigurations (usually involving the access policies that you have in place), the logging data recorded by these trails cannot be saved and used for future security audits.
Case A: to identify CloudTrail trails that are not able to deliver log files to the designated S3 bucket(s), perform the following actions:
Case B: to identify CloudTrail trails that are not able to send SNS notifications, perform the following actions:
Case A: Usually, the CloudTrail trails fail to deliver their log files when there is a problem with the destination S3 bucket and will not occur for timeouts. To remediate the issue, create a new S3 bucket and update the trail configuration to reference the new bucket so that CloudTrail can again write log files to S3. To update CloudTrail trails configuration, perform the following:
Case B: When a CloudTrail trail fails to send SNS notifications for log files publishing, it's usually because there is a problem with the designated SNS topic. To resolve the issue, create a new SNS topic and update the trail configuration to point to the new topic so that CloudTrail can send notifications again. To update CloudTrail trails configuration, perform the following actions: