Profile Applicability: Level 1


AWS CloudTrail is a web service that records AWS API calls for your account and delivers log files to you. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. CloudTrail provides a history of AWS API calls for an account, including API calls made via the Management Console, SDKs, command-line tools, and higher-level AWS services (such as CloudFormation).


The AWS API call history produced by CloudTrail enables security analysis, resource change tracking, and compliance auditing. Additionally, 

  • Ensuring that a multi-region trail exists will ensure that Global Service Logging is enabled for a trail by default to capture recording of events generated on AWS global services 
  • For a multi-region trail, ensuring that management events configured for all types of reading/Writes ensures recording of management operations that are performed on all resources in an AWS account


AWS CloudTrail increases visibility into your user and resource activity by recording AWS Management Console actions and API calls. You can identify which users and accounts called AWS, the source IP address from which the calls were made, and when the calls occurred.

Default Value: 

By default, cloud trail is not enabled.


  • Must have a CloudTrail 


Test Plan: 

  1. Sign in to the AWS Management Console 

  2. open the CloudTrail console at 

  3. Click on Trails on the left navigation pane

  4. Click on CloudTrail which  You want to examine  

  5. Ensure at least one Trail has YES specified in the Multi-region trail column 

Using AWS CLI:

If you notice "IsMultiRegionTrail": true, in the output it means cloudtrail is enabled in all regions.

aws cloudtrail describe-trails

Implementation Steps:

NoteThere is no possible way to make yes in a CloudTrail from the console once the Log group is already created

However, can modiy using AWS CLI.


If you already have a Cloudtrail that is specific to a region and want to make it Multi-region, follow the steps mentioned in the AWS Cloudtrail document


If you want to create a new Cloudtrail to enable global (Multi-region) CloudTrail logging: Via the Management Console 

1. Sign in to the AWS Management Console and open the Cloudtrail console at or search for cloudtrail on the search bar

2. Click on Trails on the left navigation pane 

3. Click Add new trail (By default trial was set to Multi-region)


  1. Enter a trail name in the Trail name box 

  1. Specify an S3 bucket, you can use an existing bucket, or choose a new one. 
  1. Enable SSE-KMS encryption to encrypt log files, you can use existing CMK or you can create new. 

    4. Additional settings. You have an option to enable ‘Log File Validation’ to determine whether a log file was modified, deleted, or unchanged after AWS CloudTrail delivered it and also ‘SNS topic’ to get notifications.




5. Configure CloudWatch Logs to monitor your trail logs and notify you when specific activity occurs. Give the Log Group name and also attach the IAM role to it, you can create a new role or use an existing one.


Click ‘Next’


  1. Events, Choose the type of events that you want to log.        
  1. Management Events, make sure you allow read, write activities to log. 



Click ‘Next’



  1. Review and click create a trail. 

Using AWS CLI:

create-trail --name <value> --s3-bucket-name <value> --is-multi-region-trail 


Note: Creating CloudTrail via CLI without providing any overriding options configures Management Events to set All types of Read/Writes by default.

Backout plan:

  1. Sign in to the AWS Management Console and open the Cloudtrail console at or search for cloudtrail on the search bar
  2. Click on Trails on the left navigation pane
  3. Select the trail you want to delete and click on Delete

Using AWS CLI:

  • We can revoke changes only using CLI but not the management console.

    aws cloudtrail update-trail
    --name <value>





CIS Controls:

6.2 Activate audit logging 

Ensure that local logging has been enabled on all systems and networking devices.