--- title: CloudTrail logging disabled description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: >- Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > CloudTrail logging disabled --- # CloudTrail logging disabled {% callout %} # Important note for users on the following Datadog sites: app.ddog-gov.com {% alert level="danger" %} This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site). (). {% /alert %} {% /callout %} ## Metadata{% #metadata %} **Id:** `4bb76f17-3d63-4529-bdca-2b454529d774` **Cloud Provider:** AWS **Platform:** Terraform **Severity:** Medium **Category:** Observability #### Learn More{% #learn-more %} - [Provider Reference](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudtrail#enable_logging) ### Description{% #description %} This check ensures that logging is enabled for AWS CloudTrail by verifying that the `enable_logging` attribute is set to `true` in the resource configuration. Disabling logging (`enable_logging = false`) prevents the capture of API activity in your AWS account, which can hinder threat detection, audit investigations, and incident response efforts. For security and compliance, CloudTrail logging should always be enabled, as shown below: ``` resource "aws_cloudtrail" "example" { name = "example" s3_bucket_name = "bucketlog" enable_logging = true } ``` ## Compliant Code Examples{% #compliant-code-examples %} ```terraform resource "aws_cloudtrail" "negative1" { name = "negative_1" s3_bucket_name = "bucketlog" enable_logging = true } resource "aws_cloudtrail" "negative2" { name = "negative_2" s3_bucket_name = "bucketlog" } ``` ## Non-Compliant Code Examples{% #non-compliant-code-examples %} ```terraform #this is a problematic code where the query should report a result(s) resource "aws_cloudtrail" "positive1" { name = "positive" s3_bucket_name = "bucketlog" enable_logging = false } ```