CRITICAL CloudTrail · CIS 3.1

CloudTrail enabled

Check ID: aws-ct-001

AWS-CT-001 is an AWS security check performed by cloud-audit, an open-source AWS security scanner. Checks if CloudTrail is enabled with multi-region logging. Flags both missing trails and single-region trails.

Why it matters

CloudTrail is the audit log for your entire AWS account, recording every API call including who made it, from where, and when. Without multi-region CloudTrail, you have zero visibility into actions performed in non-primary regions - an attacker could create resources in ap-southeast-1 while you only monitor us-east-1. Mandiant reports that 89% of cloud incident investigations rely on CloudTrail as the primary evidence source. Without it, forensic analysis is effectively impossible. CIS AWS Benchmark 3.1 requires a multi-region trail as the very first logging control. CloudTrail is free for management events (one trail per region) and the cost of S3 storage for logs is negligible compared to the visibility it provides.

Common causes

CloudTrail is not enabled because teams assume AWS has some built-in logging by default, not realizing CloudTrail must be explicitly configured. Accounts created through AWS Organizations may not inherit the organization trail if the management account trail is not set to apply to all member accounts. Development and sandbox accounts are often excluded from centralized logging to reduce costs, creating visibility blind spots.

Detection

Run cloud-audit to detect this issue:

pip install cloud-audit
cloud-audit scan -R

The -R flag includes remediation details for every finding, including this one.

Remediation: AWS CLI

aws cloudtrail create-trail --name main-trail --s3-bucket-name YOUR-AUDIT-BUCKET --is-multi-region-trail --enable-log-file-validation
aws cloudtrail start-logging --name main-trail

Remediation: Terraform

resource "aws_cloudtrail" "main" {
  name                          = "main-trail"
  s3_bucket_name                = aws_s3_bucket.audit.id
  is_multi_region_trail         = true
  enable_log_file_validation    = true
  include_global_service_events = true
}

Compliance mapping

This check maps to CIS 3.1 in the CIS AWS Foundations Benchmark. The CIS Benchmark provides prescriptive guidance for configuring security options for a subset of AWS services.

This check is part of cloud-audit - install with pip install cloud-audit

Related article

AWS Security Audit: 17 Issues in Every Account →

Related CloudTrail checks

HIGH aws-ct-002

CloudTrail log validation

CRITICAL aws-ct-003

CloudTrail S3 bucket public access

← All checks