For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/cloudformation-aws-cloudtrail-not-integrated-with-cloudwatch.md.
A documentation index is available at /llms.txt.
CloudTrail should be configured to deliver events to CloudWatch Logs so you have real-time monitoring, alerting, and a reliable audit trail for investigation and incident response. For AWS::CloudTrail::Trail resources, the Properties must include CloudWatchLogsLogGroupArn (the CloudWatch Log Group ARN) and CloudWatchLogsRoleArn (an IAM role ARN that CloudTrail can assume). Resources missing either property will be flagged. Ensure the referenced IAM role allows the CloudTrail service principal to write to CloudWatch Logs (for example, logs:CreateLogStream and logs:PutLogEvents).
AWSTemplateFormatVersion:"2010-09-09"Parameters:OperatorEmail:Description:"Email address to notify when new logs are published."Type:StringResources:S3Bucket:DeletionPolicy:RetainType:AWS::S3::BucketProperties:{}BucketPolicy:Type:AWS::S3::BucketPolicyProperties:Bucket:Ref:S3BucketPolicyDocument:Version:"2012-10-17"Statement:- Sid:"AWSCloudTrailAclCheck"Effect:"Allow"Principal:Service:"cloudtrail.amazonaws.com"Action:"s3:GetBucketAcl"Resource:!Sub |-arn:aws:s3:::${S3Bucket}- Sid:"AWSCloudTrailWrite"Effect:"Allow"Principal:Service:"cloudtrail.amazonaws.com"Action:"s3:PutObject"Resource:!Sub |-arn:aws:s3:::${S3Bucket}/AWSLogs/${AWS::AccountId}/*Condition:StringEquals:s3:x-amz-acl:"bucket-owner-full-control"Topic:Type:AWS::SNS::TopicProperties:Subscription:- Endpoint:Ref:OperatorEmailProtocol:emailTopicPolicy:Type:AWS::SNS::TopicPolicyProperties:Topics:- Ref:"Topic"PolicyDocument:Version:"2008-10-17"Statement:- Sid:"AWSCloudTrailSNSPolicy"Effect:"Allow"Principal:Service:"cloudtrail.amazonaws.com"Resource:"*"Action:"SNS:Publish"myTrail:DependsOn:- BucketPolicy- TopicPolicyType:AWS::CloudTrail::TrailProperties:CloudWatchLogsLogGroupArn:"arn:aws:logs:us-west-2:920172477660:log-group:CloudTrail/DefaultLogGroup:*"CloudWatchLogsRoleArn:"Fn::GetAtt":- IamRoleForCwLogs- ArnS3BucketName:Ref:S3BucketSnsTopicName:Fn::GetAtt:- Topic- TopicNameIsLogging:trueIsMultiRegionTrail:trueIamRoleForCwLogs:Type:"AWS::IAM::Role"Properties:AssumeRolePolicyDocument:Version:"2012-10-17"Statement:- Sid:""Effect:AllowPrincipal:Service:cloudtrail.amazonaws.comAction:"sts:AssumeRole"Policies:- PolicyName:allow-access-to-cw-logsPolicyDocument:Version:"2012-10-17"Statement:- Effect:AllowAction:- "logs:CreateLogStream"- "logs:PutLogEvents"Resource:"*"
{"AWSTemplateFormatVersion":"2010-09-09","Parameters":{"OperatorEmail":{"Description":"Email address to notify when new logs are published.","Type":"String"}},"Resources":{"S3Bucket":{"DeletionPolicy":"Retain","Type":"AWS::S3::Bucket","Properties":{}},"BucketPolicy":{"Type":"AWS::S3::BucketPolicy","Properties":{"Bucket":{"Ref":"S3Bucket"},"PolicyDocument":{"Version":"2012-10-17","Statement":[{"Sid":"AWSCloudTrailAclCheck","Effect":"Allow","Principal":{"Service":"cloudtrail.amazonaws.com"},"Action":"s3:GetBucketAcl","Resource":"value"},{"Sid":"AWSCloudTrailWrite","Effect":"Allow","Principal":{"Service":"cloudtrail.amazonaws.com"},"Action":"s3:PutObject","Resource":"value","Condition":{"StringEquals":{"s3:x-amz-acl":"bucket-owner-full-control"}}}]}}},"Topic":{"Type":"AWS::SNS::Topic","Properties":{"Subscription":[{"Endpoint":{"Ref":"OperatorEmail"},"Protocol":"email"}]}},"TopicPolicy":{"Type":"AWS::SNS::TopicPolicy","Properties":{"Topics":[{"Ref":"Topic"}],"PolicyDocument":{"Version":"2008-10-17","Statement":[{"Sid":"AWSCloudTrailSNSPolicy","Effect":"Allow","Principal":{"Service":"cloudtrail.amazonaws.com"},"Resource":"*","Action":"SNS:Publish"}]}}},"myTrail":{"DependsOn":["BucketPolicy","TopicPolicy"],"Type":"AWS::CloudTrail::Trail","Properties":{"CloudWatchLogsLogGroupArn":"arn:aws:logs:us-west-2:920172477660:log-group:CloudTrail/DefaultLogGroup:*","CloudWatchLogsRoleArn":{"Fn::GetAtt":["IamRoleForCwLogs","Arn"]},"S3BucketName":{"Ref":"S3Bucket"},"SnsTopicName":{"Fn::GetAtt":["Topic","TopicName"]},"IsLogging":true,"IsMultiRegionTrail":true}},"IamRoleForCwLogs":{"Type":"AWS::IAM::Role","Properties":{"AssumeRolePolicyDocument":{"Version":"2012-10-17","Statement":[{"Sid":"","Effect":"Allow","Principal":{"Service":"cloudtrail.amazonaws.com"},"Action":"sts:AssumeRole"}]},"Policies":[{"PolicyName":"allow-access-to-cw-logs","PolicyDocument":{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":["logs:CreateLogStream","logs:PutLogEvents"],"Resource":"*"}]}}]}}}}
Non-Compliant Code Examples
AWSTemplateFormatVersion:"2010-09-09"Parameters:OperatorEmail:Description:"Email address to notify when new logs are published."Type:StringResources:S3Bucket:DeletionPolicy:RetainType:AWS::S3::BucketProperties:{}BucketPolicy:Type:AWS::S3::BucketPolicyProperties:Bucket:Ref:S3BucketPolicyDocument:Version:"2012-10-17"Statement:- Sid:"AWSCloudTrailAclCheck"Effect:"Allow"Principal:Service:"cloudtrail.amazonaws.com"Action:"s3:GetBucketAcl"Resource:!Sub |-arn:aws:s3:::${S3Bucket}- Sid:"AWSCloudTrailWrite"Effect:"Allow"Principal:Service:"cloudtrail.amazonaws.com"Action:"s3:PutObject"Resource:!Sub |-arn:aws:s3:::${S3Bucket}/AWSLogs/${AWS::AccountId}/*Condition:StringEquals:s3:x-amz-acl:"bucket-owner-full-control"Topic:Type:AWS::SNS::TopicProperties:Subscription:- Endpoint:Ref:OperatorEmailProtocol:emailTopicPolicy:Type:AWS::SNS::TopicPolicyProperties:Topics:- Ref:"Topic"PolicyDocument:Version:"2008-10-17"Statement:- Sid:"AWSCloudTrailSNSPolicy"Effect:"Allow"Principal:Service:"cloudtrail.amazonaws.com"Resource:"*"Action:"SNS:Publish"myTrail:DependsOn:- BucketPolicy- TopicPolicyType:AWS::CloudTrail::TrailProperties:S3BucketName:Ref:S3BucketSnsTopicName:Fn::GetAtt:- Topic- TopicNameIsLogging:trueIsMultiRegionTrail:true
AWSTemplateFormatVersion:"2010-09-09"Parameters:OperatorEmail:Description:"Email address to notify when new logs are published."Type:StringResources:S3Bucket:DeletionPolicy:RetainType:AWS::S3::BucketProperties:{}BucketPolicy:Type:AWS::S3::BucketPolicyProperties:Bucket:Ref:S3BucketPolicyDocument:Version:"2012-10-17"Statement:- Sid:"AWSCloudTrailAclCheck"Effect:"Allow"Principal:Service:"cloudtrail.amazonaws.com"Action:"s3:GetBucketAcl"Resource:!Sub |-arn:aws:s3:::${S3Bucket}- Sid:"AWSCloudTrailWrite"Effect:"Allow"Principal:Service:"cloudtrail.amazonaws.com"Action:"s3:PutObject"Resource:!Sub |-arn:aws:s3:::${S3Bucket}/AWSLogs/${AWS::AccountId}/*Condition:StringEquals:s3:x-amz-acl:"bucket-owner-full-control"Topic:Type:AWS::SNS::TopicProperties:Subscription:- Endpoint:Ref:OperatorEmailProtocol:emailTopicPolicy:Type:AWS::SNS::TopicPolicyProperties:Topics:- Ref:"Topic"PolicyDocument:Version:"2008-10-17"Statement:- Sid:"AWSCloudTrailSNSPolicy"Effect:"Allow"Principal:Service:"cloudtrail.amazonaws.com"Resource:"*"Action:"SNS:Publish"myTrail2:DependsOn:- BucketPolicy- TopicPolicyType:AWS::CloudTrail::TrailProperties:CloudWatchLogsRoleArn:"Fn::GetAtt":- IamRoleForCwLogs- ArnS3BucketName:Ref:S3BucketSnsTopicName:Fn::GetAtt:- Topic- TopicNameIsLogging:trueIsMultiRegionTrail:trueIamRoleForCwLogs:Type:"AWS::IAM::Role"Properties:AssumeRolePolicyDocument:Version:"2012-10-17"Statement:- Sid:""Effect:AllowPrincipal:Service:cloudtrail.amazonaws.comAction:"sts:AssumeRole"Policies:- PolicyName:allow-access-to-cw-logsPolicyDocument:Version:"2012-10-17"Statement:- Effect:AllowAction:- "logs:CreateLogStream"- "logs:PutLogEvents"Resource:"*"
AWSTemplateFormatVersion:"2010-09-09"Parameters:OperatorEmail:Description:"Email address to notify when new logs are published."Type:StringResources:S3Bucket:DeletionPolicy:RetainType:AWS::S3::BucketProperties:{}BucketPolicy:Type:AWS::S3::BucketPolicyProperties:Bucket:Ref:S3BucketPolicyDocument:Version:"2012-10-17"Statement:- Sid:"AWSCloudTrailAclCheck"Effect:"Allow"Principal:Service:"cloudtrail.amazonaws.com"Action:"s3:GetBucketAcl"Resource:!Sub |-arn:aws:s3:::${S3Bucket}- Sid:"AWSCloudTrailWrite"Effect:"Allow"Principal:Service:"cloudtrail.amazonaws.com"Action:"s3:PutObject"Resource:!Sub |-arn:aws:s3:::${S3Bucket}/AWSLogs/${AWS::AccountId}/*Condition:StringEquals:s3:x-amz-acl:"bucket-owner-full-control"Topic:Type:AWS::SNS::TopicProperties:Subscription:- Endpoint:Ref:OperatorEmailProtocol:emailTopicPolicy:Type:AWS::SNS::TopicPolicyProperties:Topics:- Ref:"Topic"PolicyDocument:Version:"2008-10-17"Statement:- Sid:"AWSCloudTrailSNSPolicy"Effect:"Allow"Principal:Service:"cloudtrail.amazonaws.com"Resource:"*"Action:"SNS:Publish"myTrail3:DependsOn:- BucketPolicy- TopicPolicyType:AWS::CloudTrail::TrailProperties:CloudWatchLogsLogGroupArn:"arn:aws:logs:us-west-2:920172477660:log-group:CloudTrail/DefaultLogGroup:*"S3BucketName:Ref:S3BucketSnsTopicName:Fn::GetAtt:- Topic- TopicNameIsLogging:trueIsMultiRegionTrail:trueIamRoleForCwLogs:Type:"AWS::IAM::Role"Properties:AssumeRolePolicyDocument:Version:"2012-10-17"Statement:- Sid:""Effect:AllowPrincipal:Service:cloudtrail.amazonaws.comAction:"sts:AssumeRole"Policies:- PolicyName:allow-access-to-cw-logsPolicyDocument:Version:"2012-10-17"Statement:- Effect:AllowAction:- "logs:CreateLogStream"- "logs:PutLogEvents"Resource:"*"
1
2
rulesets:- CloudFormation / AWS # Rules to enforce / AWS.
Request a personalized demo
Get Started with Datadog
Ask AI
AI-generated responses may be inaccurate. Verify important info.
