CloudTrail Logging Disabled
- Query id: 5c0b06d5-b7a4-484c-aeb0-75a836269ff0
- Query name: CloudTrail Logging Disabled
- Platform: CloudFormation
- Severity: Medium
- Category: Observability
- CWE: 778
- Risk score: 5.1
- URL: Github
Description¶
Checks if logging is enabled for CloudTrail.
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Parameters:
OperatorEmail:
Description: "Email address to notify when new logs are published."
Type: String
Resources:
myTrail3:
DependsOn:
- BucketPolicy
- TopicPolicy
Type: AWS::CloudTrail::Trail
Properties:
S3BucketName:
Ref: S3Bucket
SnsTopicName:
Fn::GetAtt:
- Topic
- TopicName
IsLogging: false
IsMultiRegionTrail: true
myTrail4:
DependsOn:
- BucketPolicy
- TopicPolicy
Type: AWS::CloudTrail::Trail
Properties:
EnableLogFileValidation: false
S3BucketName:
Ref: S3Bucket
SnsTopicName:
Fn::GetAtt:
- Topic
- TopicName
IsLogging: false
IsMultiRegionTrail: true
Positive test num. 2 - json file
{
"Resources": {
"S3Bucket": {
"DeletionPolicy": "Retain",
"Type": "AWS::S3::Bucket",
"Properties": {}
},
"myTrail5": {
"DependsOn": [
"BucketPolicy",
"TopicPolicy"
],
"Type": "AWS::CloudTrail::Trail",
"Properties": {
"IsMultiRegionTrail": true,
"S3BucketName": {
"Ref": "S3Bucket"
},
"SnsTopicName": {
"Fn::GetAtt": [
"Topic",
"TopicName"
]
},
"IsLogging": false
}
},
"myTrail6": {
"DependsOn": [
"BucketPolicy",
"TopicPolicy"
],
"Type": "AWS::CloudTrail::Trail",
"Properties": {
"EnableLogFileValidation": false,
"S3BucketName": {
"Ref": "S3Bucket"
},
"SnsTopicName": {
"Fn::GetAtt": [
"Topic",
"TopicName"
]
},
"IsLogging": false,
"IsMultiRegionTrail": true
}
}
},
"AWSTemplateFormatVersion": "2010-09-09",
"Parameters": {
"OperatorEmail": {
"Description": "Email address to notify when new logs are published.",
"Type": "String"
}
}
}
Positive test num. 3 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Parameters:
OperatorEmail:
Description: "Email address to notify when new logs are published."
Type: String
Resources:
myTrail:
DependsOn:
- BucketPolicy
- TopicPolicy
Type: AWS::CloudTrail::Trail
Properties:
EnableLogFileValidation: false
S3BucketName:
Ref: S3Bucket
SnsTopicName:
Fn::GetAtt:
- Topic
- TopicName
IsLogging: false
IsMultiRegionTrail: "true"
Positive test num. 4 - json file
{
"Resources": {
"S3Bucket": {
"DeletionPolicy": "Retain",
"Type": "AWS::S3::Bucket",
"Properties": {}
},
"myTrail5": {
"DependsOn": [
"BucketPolicy",
"TopicPolicy"
],
"Type": "AWS::CloudTrail::Trail",
"Properties": {
"IsMultiRegionTrail": "true",
"S3BucketName": {
"Ref": "S3Bucket"
},
"SnsTopicName": {
"Fn::GetAtt": [
"Topic",
"TopicName"
]
},
"IsLogging": false
}
}
},
"AWSTemplateFormatVersion": "2010-09-09",
"Parameters": {
"OperatorEmail": {
"Description": "Email address to notify when new logs are published.",
"Type": "String"
}
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Parameters:
OperatorEmail:
Description: "Email address to notify when new logs are published."
Type: String
Resources:
myTrail:
DependsOn:
- BucketPolicy
- TopicPolicy
Type: AWS::CloudTrail::Trail
Properties:
EnableLogFileValidation: true
S3BucketName:
Ref: S3Bucket
SnsTopicName:
Fn::GetAtt:
- Topic
- TopicName
IsLogging: true
IsMultiRegionTrail: true
Negative test num. 2 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Parameters": {
"OperatorEmail": {
"Type": "String",
"Description": "Email address to notify when new logs are published."
}
},
"Resources": {
"myTrail2": {
"DependsOn": [
"BucketPolicy",
"TopicPolicy"
],
"Type": "AWS::CloudTrail::Trail",
"Properties": {
"IsLogging": true,
"IsMultiRegionTrail": true,
"EnableLogFileValidation": true,
"S3BucketName": {
"Ref": "S3Bucket"
},
"SnsTopicName": {
"Fn::GetAtt": [
"Topic",
"TopicName"
]
}
}
},
"S3Bucket": {
"DeletionPolicy": "Retain",
"Type": "AWS::S3::Bucket",
"Properties": {}
}
}
}
Negative test num. 3 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Parameters:
OperatorEmail:
Description: "Email address to notify when new logs are published."
Type: String
Resources:
myTrail:
DependsOn:
- BucketPolicy
- TopicPolicy
Type: AWS::CloudTrail::Trail
Properties:
EnableLogFileValidation: "true"
S3BucketName:
Ref: S3Bucket
SnsTopicName:
Fn::GetAtt:
- Topic
- TopicName
IsLogging: "true"
IsMultiRegionTrail: "true"
Negative test num. 4 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Parameters": {
"OperatorEmail": {
"Type": "String",
"Description": "Email address to notify when new logs are published."
}
},
"Resources": {
"myTrail2": {
"DependsOn": [
"BucketPolicy",
"TopicPolicy"
],
"Type": "AWS::CloudTrail::Trail",
"Properties": {
"IsLogging": "true",
"IsMultiRegionTrail": "true",
"EnableLogFileValidation": "true",
"S3BucketName": {
"Ref": "S3Bucket"
},
"SnsTopicName": {
"Fn::GetAtt": [
"Topic",
"TopicName"
]
}
}
},
"S3Bucket": {
"DeletionPolicy": "Retain",
"Type": "AWS::S3::Bucket",
"Properties": {}
}
}
}