CloudTrail Multi Region Disabled

  • Query id: 8173d5eb-96b5-4aa6-a71b-ecfa153c123d
  • Query name: CloudTrail Multi Region Disabled
  • Platform: Terraform
  • Severity: Medium
  • Category: Observability
  • URL: Github

Description

CloudTrail multi region should be enabled, which means attributes 'is_multi_region_trail' and 'include_global_service_events' should be enabled
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - tf file
#this is a problematic code where the query should report a result(s)
resource "aws_cloudtrail" "positive1" {
  name                          = "npositive_1"
  s3_bucket_name                = "bucketlog_1"
}
Positive test num. 2 - tf file
resource "aws_cloudtrail" "positive2" {
  name                          = "npositive_2"
  s3_bucket_name                = "bucketlog_2"
  is_multi_region_trail         = false
}
Positive test num. 3 - tf file
resource "aws_cloudtrail" "positive3" {
  name                          = "npositive_3"
  s3_bucket_name                = "bucketlog_3"
  is_multi_region_trail         = true
  include_global_service_events = false
}

Code samples without security vulnerabilities

Negative test num. 1 - tf file
#this code is a correct code for which the query should not find any result
resource "aws_cloudtrail" "negative1" {
  name                          = "negative"
  s3_bucket_name                = "bucketlog"
  is_multi_region_trail         = true
}