---
title: CloudTrail logging disabled
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > Code Security > Infrastructure as Code (IaC)
  Security > IaC Security Rules > CloudTrail logging disabled
---

# CloudTrail logging disabled

{% callout %}
# Important note for users on the following Datadog sites: app.ddog-gov.com

{% alert level="danger" %}
This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ().
{% /alert %}

{% /callout %}

## Metadata{% #metadata %}

**Id:** `d4a73c49-cbaa-4c6f-80ee-d6ef5a3a26f5`

**Cloud Provider:** AWS

**Platform:** Ansible

**Severity:** Medium

**Category:** Observability

#### Learn More{% #learn-more %}

- [Provider Reference](https://docs.ansible.com/ansible/latest/collections/amazon/aws/cloudtrail_module.html#parameter-enable_logging)

### Description{% #description %}

CloudTrail logging must be enabled to record AWS API activity for detection, auditing, and forensic investigations, and to meet compliance requirements. Disabling logging can allow malicious or accidental changes to go undetected.

In Ansible, tasks using the `amazon.aws.cloudtrail` or `cloudtrail` modules must have the `enable_logging` property set to `true`. This rule flags tasks where `enable_logging` is explicitly set to `false`. Ensure the property is present and set to `true` to enable delivery of management events and logs. Example secure Ansible task:

```yaml
- name: Ensure CloudTrail logging is enabled
  amazon.aws.cloudtrail:
    name: my-trail
    s3_bucket_name: my-cloudtrail-bucket
    enable_logging: true
```

## Compliant Code Examples{% #compliant-code-examples %}

```yaml
- name: example
  amazon.aws.cloudtrail:
    state: present
    name: default
    enable_logging: true
```

## Non-Compliant Code Examples{% #non-compliant-code-examples %}

```yaml
- name: example
  amazon.aws.cloudtrail:
    state: present
    name: default
    enable_logging: false
```