CloudTrail Logging Disabled

Query id: 4bb76f17-3d63-4529-bdca-2b454529d774
Query name: CloudTrail Logging Disabled
Platform: Terraform
Severity: Medium
Category: Observability
CWE: 778
URL: Github

Description¶

Checks if logging is enabled for CloudTrail.
Documentation

Code samples¶

Code samples with security vulnerabilities¶

Positive test num. 1 - tf file

#this is a problematic code where the query should report a result(s)
resource "aws_cloudtrail" "positive1" {
  name                          = "positive"
  s3_bucket_name                = "bucketlog"
  enable_logging                = false
}

Code samples without security vulnerabilities¶

Negative test num. 1 - tf file

resource "aws_cloudtrail" "negative1" {
  name                          = "negative_1"
  s3_bucket_name                = "bucketlog"
  enable_logging                = true
}

resource "aws_cloudtrail" "negative2" {
  name                          = "negative_2"
  s3_bucket_name                = "bucketlog"
}