For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/cloudformation-aws-cloudtrail-logging-disabled.md.
A documentation index is available at /llms.txt.
CloudTrail must have logging enabled to provide an audit trail of API activity. Without logging, you cannot reliably detect unauthorized actions, investigate incidents, or meet audit and compliance requirements. The IsLogging property on AWS::CloudTrail::Trail resources must be defined and set to true. Resources missing IsLogging or with IsLogging set to false will be flagged.
AWSTemplateFormatVersion:"2010-09-09"Parameters:OperatorEmail:Description:"Email address to notify when new logs are published."Type:StringResources:S3Bucket:DeletionPolicy:RetainType:AWS::S3::BucketProperties:{}BucketPolicy:Type:AWS::S3::BucketPolicyProperties:Bucket:Ref:S3BucketPolicyDocument:Version:"2012-10-17"Statement:- Sid:"AWSCloudTrailAclCheck"Effect:"Allow"Principal:Service:"cloudtrail.amazonaws.com"Action:"s3:GetBucketAcl"Resource:!Sub |-arn:aws:s3:::${S3Bucket}- Sid:"AWSCloudTrailWrite"Effect:"Allow"Principal:Service:"cloudtrail.amazonaws.com"Action:"s3:PutObject"Resource:!Sub |-arn:aws:s3:::${S3Bucket}/AWSLogs/${AWS::AccountId}/*Condition:StringEquals:s3:x-amz-acl:"bucket-owner-full-control"Topic:Type:AWS::SNS::TopicProperties:Subscription:- Endpoint:Ref:OperatorEmailProtocol:emailTopicPolicy:Type:AWS::SNS::TopicPolicyProperties:Topics:- Ref:"Topic"PolicyDocument:Version:"2008-10-17"Statement:- Sid:"AWSCloudTrailSNSPolicy"Effect:"Allow"Principal:Service:"cloudtrail.amazonaws.com"Resource:"*"Action:"SNS:Publish"myTrail:DependsOn:- BucketPolicy- TopicPolicyType:AWS::CloudTrail::TrailProperties:EnableLogFileValidation:trueS3BucketName:Ref:S3BucketSnsTopicName:Fn::GetAtt:- Topic- TopicNameIsLogging:trueIsMultiRegionTrail:true
{"AWSTemplateFormatVersion":"2010-09-09","Parameters":{"OperatorEmail":{"Type":"String","Description":"Email address to notify when new logs are published."}},"Resources":{"BucketPolicy":{"Type":"AWS::S3::BucketPolicy","Properties":{"Bucket":{"Ref":"S3Bucket"},"PolicyDocument":{"Version":"2012-10-17","Statement":[{"Principal":{"Service":"cloudtrail.amazonaws.com"},"Action":"s3:GetBucketAcl","Resource":"arn:aws:s3:::${S3Bucket}","Sid":"AWSCloudTrailAclCheck","Effect":"Allow"},{"Effect":"Allow","Principal":{"Service":"cloudtrail.amazonaws.com"},"Action":"s3:PutObject","Resource":"arn:aws:s3:::${S3Bucket}/AWSLogs/${AWS::AccountId}/*","Condition":{"StringEquals":{"s3:x-amz-acl":"bucket-owner-full-control"}},"Sid":"AWSCloudTrailWrite"}]}}},"Topic":{"Type":"AWS::SNS::Topic","Properties":{"Subscription":[{"Endpoint":{"Ref":"OperatorEmail"},"Protocol":"email"}]}},"TopicPolicy":{"Type":"AWS::SNS::TopicPolicy","Properties":{"Topics":[{"Ref":"Topic"}],"PolicyDocument":{"Version":"2008-10-17","Statement":[{"Sid":"AWSCloudTrailSNSPolicy","Effect":"Allow","Principal":{"Service":"cloudtrail.amazonaws.com"},"Resource":"*","Action":"SNS:Publish"}]}}},"myTrail2":{"DependsOn":["BucketPolicy","TopicPolicy"],"Type":"AWS::CloudTrail::Trail","Properties":{"IsLogging":true,"IsMultiRegionTrail":true,"EnableLogFileValidation":true,"S3BucketName":{"Ref":"S3Bucket"},"SnsTopicName":{"Fn::GetAtt":["Topic","TopicName"]}}},"S3Bucket":{"DeletionPolicy":"Retain","Type":"AWS::S3::Bucket","Properties":{}}}}
Non-Compliant Code Examples
AWSTemplateFormatVersion:"2010-09-09"Parameters:OperatorEmail:Description:"Email address to notify when new logs are published."Type:StringResources:S3Bucket:DeletionPolicy:RetainType:AWS::S3::BucketProperties:{}BucketPolicy:Type:AWS::S3::BucketPolicyProperties:Bucket:Ref:S3BucketPolicyDocument:Version:"2012-10-17"Statement:- Sid:"AWSCloudTrailAclCheck"Effect:"Allow"Principal:Service:"cloudtrail.amazonaws.com"Action:"s3:GetBucketAcl"Resource:!Sub |-arn:aws:s3:::${S3Bucket}- Sid:"AWSCloudTrailWrite"Effect:"Allow"Principal:Service:"cloudtrail.amazonaws.com"Action:"s3:PutObject"Resource:!Sub |-arn:aws:s3:::${S3Bucket}/AWSLogs/${AWS::AccountId}/*Condition:StringEquals:s3:x-amz-acl:"bucket-owner-full-control"Topic:Type:AWS::SNS::TopicProperties:Subscription:- Endpoint:Ref:OperatorEmailProtocol:emailTopicPolicy:Type:AWS::SNS::TopicPolicyProperties:Topics:- Ref:"Topic"PolicyDocument:Version:"2008-10-17"Statement:- Sid:"AWSCloudTrailSNSPolicy"Effect:"Allow"Principal:Service:"cloudtrail.amazonaws.com"Resource:"*"Action:"SNS:Publish"myTrail3:DependsOn:- BucketPolicy- TopicPolicyType:AWS::CloudTrail::TrailProperties:S3BucketName:Ref:S3BucketSnsTopicName:Fn::GetAtt:- Topic- TopicNameIsLogging:falseIsMultiRegionTrail:truemyTrail4:DependsOn:- BucketPolicy- TopicPolicyType:AWS::CloudTrail::TrailProperties:EnableLogFileValidation:falseS3BucketName:Ref:S3BucketSnsTopicName:Fn::GetAtt:- Topic- TopicNameIsLogging:falseIsMultiRegionTrail:true
{"Resources":{"S3Bucket":{"DeletionPolicy":"Retain","Type":"AWS::S3::Bucket","Properties":{}},"BucketPolicy":{"Type":"AWS::S3::BucketPolicy","Properties":{"Bucket":{"Ref":"S3Bucket"},"PolicyDocument":{"Version":"2012-10-17","Statement":[{"Sid":"AWSCloudTrailAclCheck","Effect":"Allow","Principal":{"Service":"cloudtrail.amazonaws.com"},"Action":"s3:GetBucketAcl","Resource":"arn:aws:s3:::${S3Bucket}"},{"Resource":"arn:aws:s3:::${S3Bucket}/AWSLogs/${AWS::AccountId}/*","Condition":{"StringEquals":{"s3:x-amz-acl":"bucket-owner-full-control"}},"Sid":"AWSCloudTrailWrite","Effect":"Allow","Principal":{"Service":"cloudtrail.amazonaws.com"},"Action":"s3:PutObject"}]}}},"Topic":{"Type":"AWS::SNS::Topic","Properties":{"Subscription":[{"Endpoint":{"Ref":"OperatorEmail"},"Protocol":"email"}]}},"TopicPolicy":{"Properties":{"Topics":[{"Ref":"Topic"}],"PolicyDocument":{"Version":"2008-10-17","Statement":[{"Sid":"AWSCloudTrailSNSPolicy","Effect":"Allow","Principal":{"Service":"cloudtrail.amazonaws.com"},"Resource":"*","Action":"SNS:Publish"}]}},"Type":"AWS::SNS::TopicPolicy"},"myTrail5":{"DependsOn":["BucketPolicy","TopicPolicy"],"Type":"AWS::CloudTrail::Trail","Properties":{"IsMultiRegionTrail":true,"S3BucketName":{"Ref":"S3Bucket"},"SnsTopicName":{"Fn::GetAtt":["Topic","TopicName"]},"IsLogging":false}},"myTrail6":{"DependsOn":["BucketPolicy","TopicPolicy"],"Type":"AWS::CloudTrail::Trail","Properties":{"EnableLogFileValidation":false,"S3BucketName":{"Ref":"S3Bucket"},"SnsTopicName":{"Fn::GetAtt":["Topic","TopicName"]},"IsLogging":false,"IsMultiRegionTrail":true}}},"AWSTemplateFormatVersion":"2010-09-09","Parameters":{"OperatorEmail":{"Description":"Email address to notify when new logs are published.","Type":"String"}}}
1
2
rulesets:- CloudFormation / AWS # Rules to enforce / AWS.
Request a personalized demo
Get Started with Datadog
Ask AI
AI-generated responses may be inaccurate. Verify important info.
