For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/cloudformation-aws-cloudtrail-multi-region-disabled.md.
A documentation index is available at /llms.txt.
CloudTrail must be configured as a multi-region trail to capture management events from all AWS regions and avoid auditing gaps if a single region is compromised. The IsMultiRegionTrail property in AWS::CloudTrail::Trail resources must be defined and set to true. Resources missing this property or with IsMultiRegionTrail set to false will be flagged.
AWSTemplateFormatVersion:"2010-09-09"Parameters:OperatorEmail:Description:"Email address to notify when new logs are published."Type:StringResources:S3Bucket:DeletionPolicy:RetainType:AWS::S3::BucketProperties:{}BucketPolicy:Type:AWS::S3::BucketPolicyProperties:Bucket:Ref:S3BucketPolicyDocument:Version:"2012-10-17"Statement:- Sid:"AWSCloudTrailAclCheck"Effect:"Allow"Principal:Service:"cloudtrail.amazonaws.com"Action:"s3:GetBucketAcl"Resource:!Sub |-arn:aws:s3:::${S3Bucket}- Sid:"AWSCloudTrailWrite"Effect:"Allow"Principal:Service:"cloudtrail.amazonaws.com"Action:"s3:PutObject"Resource:!Sub |-arn:aws:s3:::${S3Bucket}/AWSLogs/${AWS::AccountId}/*Condition:StringEquals:s3:x-amz-acl:"bucket-owner-full-control"Topic:Type:AWS::SNS::TopicProperties:Subscription:- Endpoint:Ref:OperatorEmailProtocol:emailTopicPolicy:Type:AWS::SNS::TopicPolicyProperties:Topics:- Ref:"Topic"PolicyDocument:Version:"2008-10-17"Statement:- Sid:"AWSCloudTrailSNSPolicy"Effect:"Allow"Principal:Service:"cloudtrail.amazonaws.com"Resource:"*"Action:"SNS:Publish"myTrail:DependsOn:- BucketPolicy- TopicPolicyType:AWS::CloudTrail::TrailProperties:S3BucketName:Ref:S3BucketSnsTopicName:Fn::GetAtt:- Topic- TopicNameIsLogging:trueIsMultiRegionTrail:true
{"AWSTemplateFormatVersion":"2010-09-09","Parameters":{"OperatorEmail":{"Description":"Email address to notify when new logs are published.","Type":"String"}},"Resources":{"TopicPolicy":{"Type":"AWS::SNS::TopicPolicy","Properties":{"Topics":[{"Ref":"Topic"}],"PolicyDocument":{"Version":"2008-10-17","Statement":[{"Effect":"Allow","Principal":{"Service":"cloudtrail.amazonaws.com"},"Resource":"*","Action":"SNS:Publish","Sid":"AWSCloudTrailSNSPolicy"}]}}},"myTrail":{"Type":"AWS::CloudTrail::Trail","Properties":{"S3BucketName":{"Ref":"S3Bucket"},"SnsTopicName":{"Fn::GetAtt":["Topic","TopicName"]},"IsLogging":true,"IsMultiRegionTrail":true},"DependsOn":["BucketPolicy","TopicPolicy"]},"S3Bucket":{"Properties":{},"DeletionPolicy":"Retain","Type":"AWS::S3::Bucket"},"BucketPolicy":{"Properties":{"Bucket":{"Ref":"S3Bucket"},"PolicyDocument":{"Version":"2012-10-17","Statement":[{"Principal":{"Service":"cloudtrail.amazonaws.com"},"Action":"s3:GetBucketAcl","Resource":"arn:aws:s3:::${S3Bucket}","Sid":"AWSCloudTrailAclCheck","Effect":"Allow"},{"Effect":"Allow","Principal":{"Service":"cloudtrail.amazonaws.com"},"Action":"s3:PutObject","Resource":"arn:aws:s3:::${S3Bucket}/AWSLogs/${AWS::AccountId}/*","Condition":{"StringEquals":{"s3:x-amz-acl":"bucket-owner-full-control"}},"Sid":"AWSCloudTrailWrite"}]}},"Type":"AWS::S3::BucketPolicy"},"Topic":{"Type":"AWS::SNS::Topic","Properties":{"Subscription":[{"Endpoint":{"Ref":"OperatorEmail"},"Protocol":"email"}]}}}}
Non-Compliant Code Examples
AWSTemplateFormatVersion:"2010-09-09"Parameters:OperatorEmail:Description:"Email address to notify when new logs are published."Type:StringResources:S3Bucket:DeletionPolicy:RetainType:AWS::S3::BucketProperties:{}BucketPolicy:Type:AWS::S3::BucketPolicyProperties:Bucket:Ref:S3BucketPolicyDocument:Version:"2012-10-17"Statement:- Sid:"AWSCloudTrailAclCheck"Effect:"Allow"Principal:Service:"cloudtrail.amazonaws.com"Action:"s3:GetBucketAcl"Resource:!Sub |-arn:aws:s3:::${S3Bucket}- Sid:"AWSCloudTrailWrite"Effect:"Allow"Principal:Service:"cloudtrail.amazonaws.com"Action:"s3:PutObject"Resource:!Sub |-arn:aws:s3:::${S3Bucket}/AWSLogs/${AWS::AccountId}/*Condition:StringEquals:s3:x-amz-acl:"bucket-owner-full-control"Topic:Type:AWS::SNS::TopicProperties:Subscription:- Endpoint:Ref:OperatorEmailProtocol:emailTopicPolicy:Type:AWS::SNS::TopicPolicyProperties:Topics:- Ref:"Topic"PolicyDocument:Version:"2008-10-17"Statement:- Sid:"AWSCloudTrailSNSPolicy"Effect:"Allow"Principal:Service:"cloudtrail.amazonaws.com"Resource:"*"Action:"SNS:Publish"myTrail:DependsOn:- BucketPolicy- TopicPolicyType:AWS::CloudTrail::TrailProperties:S3BucketName:Ref:S3BucketSnsTopicName:Fn::GetAtt:- Topic- TopicNameIsLogging:trueIsMultiRegionTrail:falsemyTrail2:DependsOn:- BucketPolicy- TopicPolicyType:AWS::CloudTrail::TrailProperties:S3BucketName:Ref:S3BucketSnsTopicName:Fn::GetAtt:- Topic- TopicNameIsLogging:true
{"AWSTemplateFormatVersion":"2010-09-09","Parameters":{"OperatorEmail":{"Description":"Email address to notify when new logs are published.","Type":"String"}},"Resources":{"myTrail":{"DependsOn":["BucketPolicy","TopicPolicy"],"Type":"AWS::CloudTrail::Trail","Properties":{"IsMultiRegionTrail":false,"S3BucketName":{"Ref":"S3Bucket"},"SnsTopicName":{"Fn::GetAtt":["Topic","TopicName"]},"IsLogging":true}},"myTrail2":{"Type":"AWS::CloudTrail::Trail","Properties":{"S3BucketName":{"Ref":"S3Bucket"},"SnsTopicName":{"Fn::GetAtt":["Topic","TopicName"]},"IsLogging":true},"DependsOn":["BucketPolicy","TopicPolicy"]},"S3Bucket":{"Properties":{},"DeletionPolicy":"Retain","Type":"AWS::S3::Bucket"},"BucketPolicy":{"Type":"AWS::S3::BucketPolicy","Properties":{"PolicyDocument":{"Version":"2012-10-17","Statement":[{"Resource":"arn:aws:s3:::${S3Bucket}","Sid":"AWSCloudTrailAclCheck","Effect":"Allow","Principal":{"Service":"cloudtrail.amazonaws.com"},"Action":"s3:GetBucketAcl"},{"Sid":"AWSCloudTrailWrite","Effect":"Allow","Principal":{"Service":"cloudtrail.amazonaws.com"},"Action":"s3:PutObject","Resource":"arn:aws:s3:::${S3Bucket}/AWSLogs/${AWS::AccountId}/*","Condition":{"StringEquals":{"s3:x-amz-acl":"bucket-owner-full-control"}}}]},"Bucket":{"Ref":"S3Bucket"}}},"Topic":{"Type":"AWS::SNS::Topic","Properties":{"Subscription":[{"Endpoint":{"Ref":"OperatorEmail"},"Protocol":"email"}]}},"TopicPolicy":{"Type":"AWS::SNS::TopicPolicy","Properties":{"PolicyDocument":{"Version":"2008-10-17","Statement":[{"Principal":{"Service":"cloudtrail.amazonaws.com"},"Resource":"*","Action":"SNS:Publish","Sid":"AWSCloudTrailSNSPolicy","Effect":"Allow"}]},"Topics":[{"Ref":"Topic"}]}}}}
1
2
rulesets:- CloudFormation / AWS # Rules to enforce / AWS.
Request a personalized demo
Get Started with Datadog
Ask AI
AI-generated responses may be inaccurate. Verify important info.
