CloudTrail logging disabled

Documentos > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > CloudTrail logging disabled

Esta página aún no está disponible en español. Estamos trabajando en su traducción.
Si tienes alguna pregunta o comentario sobre nuestro actual proyecto de traducción, no dudes en ponerte en contacto con nosotros.

Metadata

Id: d4a73c49-cbaa-4c6f-80ee-d6ef5a3a26f5

Cloud Provider: AWS

Platform: Ansible

Severity: Medium

Category: Observability

Learn More

Provider Reference

Description

CloudTrail logging must be enabled to record AWS API activity for detection, auditing, and forensic investigations, and to meet compliance requirements. Disabling logging can allow malicious or accidental changes to go undetected.

In Ansible, tasks using the amazon.aws.cloudtrail or cloudtrail modules must have the enable_logging property set to true. This rule flags tasks where enable_logging is explicitly set to false. Ensure the property is present and set to true to enable delivery of management events and logs. Example secure Ansible task:

- name: Ensure CloudTrail logging is enabled
  amazon.aws.cloudtrail:
    name: my-trail
    s3_bucket_name: my-cloudtrail-bucket
    enable_logging: true

Compliant Code Examples

- name: example
  amazon.aws.cloudtrail:
    state: present
    name: default
    enable_logging: true

Non-Compliant Code Examples

- name: example
  amazon.aws.cloudtrail:
    state: present
    name: default
    enable_logging: false