Other Articles
- IAM - Enable User MFA
- IAM - Enforce Key Rotation
- IAM - Enforce Active Key Limit
- IAM - Disable Unused User Credentials
- IAM - Enforce Group Permission
- IAM - Enforce Password Length
- IAM - Prohibit Password Reuse
- IAM - Check Root Access Keys Existence
- IAM - Enable Root MFA
- IAM - Establish Support Role
- IAM - Enable Key Rotation
- Purge Expired Certificates
- EC2 Volume – Enable EBS Volume Backup
- EC2 Volume – Enable EBS Encryption
- EFS – Enable EFS Storage Backup
- S3 Bucket – Enable S3 Bucket Versioning
- S3 Bucket – Enable S3 Bucket Encryption
- S3 Bucket – Block S3 Bucket Public Access
- RDS DB Instance – Encryption of Storage
- RDS DB Instance – Enable Deletion Protection
- RDS DB Instance – Enable Auto Minor Version Upgrade
- DynamoDB Table – Enable Table Encryption
- DynamoDB Table – Enable Table Point In Time Recovery
- DynamoDB Table – Enable Table Deletion Protection
- EC2 Instance – Monitor CPU Utilization
- ECS Service – Monitor CPU Utilization
- ECS Service – Monitor Memory Utilization
- RDS DB Instance – Monitor Free Storage Space
- RDS DB Instance – Monitor CPU Utilization
- SQS Queue – Monitor Message Age
- SQS Queue – Monitor Message Visibility
- DynamoDB Table – Monitor Table Read Capacity
- DynamoDB Table – Monitor Table Write Capacity
- DynamoDB Table – Monitor Table Latency
- Encrypt CloudTrail Logs
- EC2 VPC – Ensure Flow Logs are Enabled
- RDS DB Instance – Block Public Access
- EC2 Instance – Enable Deletion Protection
- ECS Service – Enable Auto Scaling
- Enable AWS Security Hub
- Enable GuardDuty
Enable CloudTrail
Secure Configuration Checks > AWS
This check ensures that AWS CloudTrail is enabled to record API activity across your AWS account. CloudTrail provides visibility into user actions, resource changes, and helps with security auditing, compliance, and incident investigation.
Check Details
- Resource: General
- Check: Enable CloudTrail
- Risk: Lack of visibility into account activity and security incidents
Remediation via AWS Console
-
Sign in to the AWS Management Console and open AWS CloudTrail.
-
Open Trails. If you see Get started now, click it, or click Add new trail.
-
Configure trail details:
- Trail name: Enter a name (example:
organization-cloudtrail) - Multi-region trail: Leave enabled (recommended)
- S3 bucket: Choose an existing bucket or create a new one
-
Log file encryption (KMS): Select an existing KMS key alias or create a new key
- Trail name: Enter a name (example:
- Click Next.
-
Enable Management events. Under API activity, ensure both Read and Write are selected.
- Click Next, review the configuration, and click Create trail.
Remediation via AWS CLI
-
Log in to the AWS Management Console and click the CloudShell icon (
>_) in the top-right corner.
-
Create a new multi-region CloudTrail:
aws cloudtrail create-trail \ --name <trail-name> \ --bucket-name <s3-bucket-for-cloudtrail> \ --is-multi-region-trail
-
Enable multi-region logging for an existing trail:
aws cloudtrail update-trail \ --name <trail-name> \ --is-multi-region-trail
Ensure CloudTrail is enabled in all AWS regions and that logs are being delivered to the configured S3 bucket.
Updated on 06 March, 2026