Skip to content
Ask AI about this
Help improve this page

CloudTrail trails should have at least one enabled trail present in a region

Without an active CloudTrail trail, you have no record of who did what in your AWS account. API calls, console logins, and service events go unrecorded, making incident investigation impossible and leaving you blind to unauthorized changes. Every security incident response playbook starts with "check CloudTrail," and if the trail was never enabled, that step returns nothing.

CloudTrail is also a low-cost foundational control in AWS. One copy of management events per region is available at no additional CloudTrail charge when delivered to S3, while additional copies and data events are billed. Disabling or failing to create a trail is a gap auditors flag immediately and attackers exploit routinely.

Retrofit consideration

If trails already exist but were created outside Terraform, import them with terraform import aws_cloudtrail.example <trail_name> before managing them as code.

Implementation

Choose the approach that matches how you manage Terraform.

Use AWS provider resources directly. See docs for the resources involved: aws_cloudtrail.

resource "aws_cloudtrail" "this" {
  advanced_event_selector {
    field_selector {
      equals = ["Data"]
      field  = "eventCategory"
    }
    field_selector {
      equals = ["AWS::S3::Object"]
      field  = "resources.type"
    }

    name = "Log all S3 data events"
  }

  cloud_watch_logs_group_arn = local.cloudtrail_log_group_arn
  cloud_watch_logs_role_arn  = "arn:aws:iam::123456789012:role/example-role"
  name                       = "pofix-abc123"
  s3_bucket_name             = "example-bucket-abc123"

  enable_logging = true
}

What this control checks

This control validates that an aws_cloudtrail resource exists and has logging enabled. The enable_logging argument defaults to true, so simply declaring the resource is usually sufficient. Explicitly setting enable_logging = false causes a failure. The trail must also reference a valid s3_bucket_name where log files are delivered.

A multi-region trail (with is_multi_region_trail = true) provides CloudTrail coverage across regions, though some Terraform checks still evaluate per account/region context. An organization trail (with is_organization_trail = true) created in the management account can provide centralized coverage for member accounts, but member-account scoped checks may require shadow-trail visibility and evaluator support to pass consistently.

Common pitfalls

  • enable_logging set to false after initial creation

    A trail resource can exist in Terraform state with enable_logging = false, meaning CloudTrail is configured but records nothing. This passes a naive "trail exists" check but fails the actual control. Always verify enable_logging is true or omitted (it defaults to true).

  • S3 bucket policy missing CloudTrail permissions

    If the S3 bucket referenced by s3_bucket_name does not grant s3:PutObject to the CloudTrail service principal (cloudtrail.amazonaws.com), log delivery silently fails. The trail appears enabled but no logs arrive. Use aws_s3_bucket_policy to grant the correct permissions.

  • Single-region trail leaves other regions uncovered

    Other regions go completely unlogged if is_multi_region_trail is left at its default of false. A single trail with is_multi_region_trail = true covers all regions and satisfies this control globally without creating per-region resources.

  • Organization trail not visible in member accounts

    An organization trail created with is_organization_trail = true in the management account logs events for all member accounts, but aws cloudtrail describe-trails run in a member account may not list it unless --include-shadow-trails is passed. Automated checks running in member accounts can report a false failure as a result.

  • Trail logging stopped via console or API outside Terraform

    aws cloudtrail stop-logging can be called without touching Terraform config, leaving the resource in state with enable_logging = true while logging is actually stopped. Terraform catches the drift on the next plan, but between runs the gap is invisible without a runtime check like AWS Config.

Audit evidence

Auditors expect the output of aws cloudtrail describe-trails and aws cloudtrail get-trail-status --name <trail> showing IsLogging is true and the trail's S3 bucket is receiving recent log files. The AWS Config managed rule cloudtrail-enabled evaluation results work as continuous compliance evidence. Console screenshots from the CloudTrail dashboard showing trail status, last delivery time, and S3 bucket configuration are also standard.

For stronger evidence, auditors may request a sample of actual CloudTrail log entries from S3 to confirm delivery end to end, along with the S3 bucket policy showing CloudTrail has write access.

Framework-specific interpretation

SOC 2: CC7.1 and CC7.2 say the entity uses detection and monitoring activities to identify anomalies and monitors system components for changes. An active trail is the event source those monitoring activities consume.

PCI DSS v4.0: Requirement 10 wants audit logs capturing security-relevant events, including control plane activity and user actions in cardholder data systems. CloudTrail is how you cover that for the AWS layer.

HIPAA Omnibus Rule 2013: 45 CFR 164.312(b) requires audit controls on systems that contain ePHI. CloudTrail provides the technical capability to record and examine activity on the AWS infrastructure side, covering that requirement for systems processing electronic protected health information.

NIST SP 800-53 Rev 5: AU-2, AU-3, and AU-12 call for the system to generate audit records for defined events with sufficient content. CloudTrail is the primary AWS service that fulfills this control family.

NIST Cybersecurity Framework v2.0: An active CloudTrail trail feeds directly into DE.CM and DE.AE outcomes, providing the event stream that continuous monitoring and anomaly detection depend on. Without a trail, there is nothing to analyze.

FedRAMP Moderate Baseline Rev 4: AU-2 and AU-3 require that auditable events are defined and captured across information systems. At the Moderate baseline, an enabled CloudTrail trail is how you meet the technical requirement for recording management plane events in AWS.

Tool mappings

Use these identifiers to cross-reference this control across tools, reports, and evidence.

  • Compliance.tf Control: cloudtrail_trail_enabled

  • AWS Config Managed Rules: CLOUD_TRAIL_ENABLED, MULTI_REGION_CLOUD_TRAIL_ENABLED

  • Checkov Check: CKV_AWS_251

  • Powerpipe Control: aws_compliance.control.cloudtrail_trail_enabled

  • Prowler Checks: cloudtrail_multi_region_enabled, cloudtrail_multi_region_enabled_logging_management_events

  • AWS Security Hub Controls: CloudTrail.1, CloudTrail.3

  • Trivy Check: AWS-0014

Last reviewed: 2026-03-09