CloudTrail SNS topic name undefined
Ce produit n'est pas pris en charge par le
site Datadog que vous avez sélectionné. (
).
Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel,
n'hésitez pas à nous contacter.
Id: 3e09413f-471e-40f3-8626-990c79ae63f3
Cloud Provider: AWS
Platform: CloudFormation
Severity: Low
Category: Observability
Learn More
Description
CloudTrail trails should be configured to publish notifications to an Amazon SNS topic so that security teams receive real-time alerts for suspicious events and automated workflows can be triggered for faster detection and response.
This rule checks AWS::CloudTrail::Trail resources to ensure the SnsTopicName property is defined and non-empty. Resources missing SnsTopicName or with SnsTopicName set to "" will be flagged. Ensure the property references a valid Amazon SNS topic that allows CloudTrail to publish.
Secure example (CloudFormation YAML):
AuditTopic:
Type: AWS::SNS::Topic
MyTrail:
Type: AWS::CloudTrail::Trail
Properties:
S3BucketName: my-audit-bucket
IsLogging: true
SnsTopicName: !Ref AuditTopic
Compliant Code Examples
AWSTemplateFormatVersion: "2010-09-09"
Parameters:
OperatorEmail:
Description: "Email address to notify when new logs are published."
Type: String
Resources:
myTrail:
DependsOn:
- BucketPolicy
- TopicPolicy
Type: AWS::CloudTrail::Trail
Properties:
EnableLogFileValidation: true
S3BucketName:
Ref: S3Bucket
SnsTopicName:
Fn::GetAtt:
- Topic
- TopicName
IsLogging: true
IsMultiRegionTrail: true
{
"AWSTemplateFormatVersion": "2010-09-09",
"Parameters": {
"OperatorEmail": {
"Type": "String",
"Description": "Email address to notify when new logs are published."
}
},
"Resources": {
"myTrail2": {
"DependsOn": [
"BucketPolicy",
"TopicPolicy"
],
"Type": "AWS::CloudTrail::Trail",
"Properties": {
"IsLogging": true,
"IsMultiRegionTrail": true,
"EnableLogFileValidation": true,
"S3BucketName": {
"Ref": "S3Bucket"
},
"SnsTopicName": {
"Fn::GetAtt": [
"Topic",
"TopicName"
]
}
}
},
"S3Bucket": {
"DeletionPolicy": "Retain",
"Type": "AWS::S3::Bucket",
"Properties": {}
}
}
}
Non-Compliant Code Examples
{
"Resources": {
"myTrail5": {
"DependsOn": [
"BucketPolicy",
"TopicPolicy"
],
"Type": "AWS::CloudTrail::Trail",
"Properties": {
"IsMultiRegionTrail": true,
"S3BucketName": {
"Ref": "S3Bucket"
},
"IsLogging": false
}
},
"myTrail6": {
"DependsOn": [
"BucketPolicy",
"TopicPolicy"
],
"Type": "AWS::CloudTrail::Trail",
"Properties": {
"EnableLogFileValidation": false,
"S3BucketName": {
"Ref": "S3Bucket"
},
"SnsTopicName": "",
"IsLogging": false,
"IsMultiRegionTrail": true
}
}
},
"AWSTemplateFormatVersion": "2010-09-09",
"Parameters": {
"OperatorEmail": {
"Description": "Email address to notify when new logs are published.",
"Type": "String"
}
}
}
AWSTemplateFormatVersion: "2010-09-09"
Parameters:
OperatorEmail:
Description: "Email address to notify when new logs are published."
Type: String
Resources:
myTrail3:
DependsOn:
- BucketPolicy
- TopicPolicy
Type: AWS::CloudTrail::Trail
Properties:
S3BucketName:
Ref: S3Bucket
IsLogging: false
IsMultiRegionTrail: true
myTrail4:
DependsOn:
- BucketPolicy
- TopicPolicy
Type: AWS::CloudTrail::Trail
Properties:
EnableLogFileValidation: false
S3BucketName:
Ref: S3Bucket
SnsTopicName: ""
IsLogging: false
IsMultiRegionTrail: true
