CloudTrail logging disabled

This product is not supported for your selected Datadog site. ().
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください

Metadata

Id: d4a73c49-cbaa-4c6f-80ee-d6ef5a3a26f5

Cloud Provider: AWS

Platform: Ansible

Severity: Medium

Category: Observability

Learn More

Description

CloudTrail logging must be enabled to record AWS API activity for detection, auditing, and forensic investigations, and to meet compliance requirements. Disabling logging can allow malicious or accidental changes to go undetected.

In Ansible, tasks using the amazon.aws.cloudtrail or cloudtrail modules must have the enable_logging property set to true. This rule flags tasks where enable_logging is explicitly set to false. Ensure the property is present and set to true to enable delivery of management events and logs. Example secure Ansible task:

- name: Ensure CloudTrail logging is enabled
  amazon.aws.cloudtrail:
    name: my-trail
    s3_bucket_name: my-cloudtrail-bucket
    enable_logging: true

Compliant Code Examples

- name: example
  amazon.aws.cloudtrail:
    state: present
    name: default
    enable_logging: true

Non-Compliant Code Examples

- name: example
  amazon.aws.cloudtrail:
    state: present
    name: default
    enable_logging: false