CloudTrail multi region disabled

ID

aws_cloudtrail_multi_region

Severity

low

Vendor

AWS

Resource

Logging

Tags

non-reachable

Description

CloudTrail multi region disabled. Enabling multi region for CloudTrail will help you manage your AWS account and maintain the security of a global infrastructure.

To fix it, you must configure is_multi_region_trail=true, by default is false.

Learn more about this topic at AWS CloudTrail.

Examples

---
- name: Example playbook
  hosts: localhost
  tasks:
    - name: create
      amazon.aws.cloudtrail:
        state: present
        name: default
        s3_bucket_name: mylogbucket
        region: us-east-1
        enable_log_file_validation: true
        cloudwatch_logs_role_arn: "arn:aws:iam::123456789012:role/CloudTrail_CloudWatchLogs_Role"
        cloudwatch_logs_log_group_arn: "arn:aws:logs:us-east-1:123456789012:log-group:CloudTrail/DefaultLogGroup:*"
        kms_key_id: "alias/MyAliasName"
        tags:
          environment: dev
          Name: default

Mitigation / Fix

---
- name: Example playbook
  hosts: localhost
  tasks:
    - name: create
      amazon.aws.cloudtrail:
        state: present
        name: default
        s3_bucket_name: mylogbucket
        region: us-east-1
        is_multi_region_trail: true
        enable_log_file_validation: true
        cloudwatch_logs_role_arn: "arn:aws:iam::123456789012:role/CloudTrail_CloudWatchLogs_Role"
        cloudwatch_logs_log_group_arn: "arn:aws:logs:us-east-1:123456789012:log-group:CloudTrail/DefaultLogGroup:*"
        kms_key_id: "alias/MyAliasName"
        tags:
          environment: dev
          Name: default