CloudTrail logging disabled

Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > CloudTrail logging disabled

Metadata

Id: d4a73c49-cbaa-4c6f-80ee-d6ef5a3a26f5

Cloud Provider: AWS

Platform: Ansible

Severity: Medium

Category: Observability

Learn More

Provider Reference

Description

CloudTrail logging must be enabled to record AWS API activity for detection, auditing, and forensic investigations, and to meet compliance requirements. Disabling logging can allow malicious or accidental changes to go undetected.

In Ansible, tasks using the amazon.aws.cloudtrail or cloudtrail modules must have the enable_logging property set to true. This rule flags tasks where enable_logging is explicitly set to false. Ensure the property is present and set to true to enable delivery of management events and logs. Example secure Ansible task:

- name: Ensure CloudTrail logging is enabled
  amazon.aws.cloudtrail:
    name: my-trail
    s3_bucket_name: my-cloudtrail-bucket
    enable_logging: true

Compliant Code Examples

- name: example
  amazon.aws.cloudtrail:
    state: present
    name: default
    enable_logging: true

Non-Compliant Code Examples

- name: example
  amazon.aws.cloudtrail:
    state: present
    name: default
    enable_logging: false