CloudTrail logging disabled

이 제품은 선택한 Datadog 사이트에서 지원되지 않습니다. ().
이 페이지는 아직 한국어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Metadata

Id: d4a73c49-cbaa-4c6f-80ee-d6ef5a3a26f5

Cloud Provider: AWS

Platform: Ansible

Severity: Medium

Category: Observability

Learn More

Description

CloudTrail logging must be enabled to record AWS API activity for detection, auditing, and forensic investigations, and to meet compliance requirements. Disabling logging can allow malicious or accidental changes to go undetected.

In Ansible, tasks using the amazon.aws.cloudtrail or cloudtrail modules must have the enable_logging property set to true. This rule flags tasks where enable_logging is explicitly set to false. Ensure the property is present and set to true to enable delivery of management events and logs. Example secure Ansible task:

- name: Ensure CloudTrail logging is enabled
  amazon.aws.cloudtrail:
    name: my-trail
    s3_bucket_name: my-cloudtrail-bucket
    enable_logging: true

Compliant Code Examples

- name: example
  amazon.aws.cloudtrail:
    state: present
    name: default
    enable_logging: true

Non-Compliant Code Examples

- name: example
  amazon.aws.cloudtrail:
    state: present
    name: default
    enable_logging: false