CloudTrail trail logs management events for read and write operations
cloudtrail_multi_region_enabled_logging_management_events
CloudTrail trails record management events (read and write) in every AWS region and are actively logging, using a multi-region trail or per-region coverage.
Risk
Without region-wide management event logging, changes to identities, networking, and audit settings can go untracked.
Adversaries can operate in overlooked regions to create resources, modify permissions, or disable logging, undermining integrity, confidentiality, and incident response.
prowler aws --checks cloudtrail_multi_region_enabled_logging_management_events
Recommendation
Enable a multi-region CloudTrail that logs management events for read and write in all regions.
Centralize logs in a separate, locked-down account; apply least privilege, encryption, retention, and integrity validation; and protect trails and storage with tamper-evident, deny-delete controls for defense-in-depth.
Remediation
- In the AWS Console, go to CloudTrail > Trails and select your trail
- Click Edit
- Set Apply trail to all regions to Yes
- Under Management events, set Read/write events to All
- Click Save changes
- If Logging is Off, click Start logging
Source Code
Resource Type
AwsCloudTrailTrail