Profile Applicability: Level 1


AWS CloudTrail is a web service that records AWS API calls for your account and delivers log files to you. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. CloudTrail provides a history of AWS API calls for an account, including API calls made via the Management Console, SDKs, command-line tools, and higher-level AWS services (such as CloudFormation).


The AWS API call history produced by CloudTrail enables security analysis, resource change tracking, and compliance auditing. Additionally, 

  • Ensuring that a multi-region trail exists will ensure that unexpected activity occurring in otherwise unused regions is detected 
  • Ensuring that a multi-region trail exists will ensure that Global Service Logging is enabled for a trail by default to capture recording of events generated on AWS global services 
  • For a multi-region trail, ensuring that management event configured for all type of Read/Writes ensures recording of management operations that are performed on all resources in an AWS account


Perform the following to determine if CloudTrail is enabled for all regions: Via the Management Console 

1. Sign in to the AWS Management Console and open the CloudTrail console at    or search for Cloudtrail on the search bar

2. Click on Trails on the left navigation pane

    You will be presented with a list of trails across all regions 

3. Ensure at least one Trail has YES specified in the Multi-region trail column

       Also, check the below options as well 

4. Click on a trail via the link in the Name column 

5. Ensure trail status is logging

6. Ensure Multi-region trial is set to YES

7. In section Management Events ensure Read/Write Events(API Activity) set to ALL


If you already have a Cloudtrail that is specific to a region and want to make it Multi-region, follow the steps mentioned in the AWS Cloudtrail document.

OR Else

If you want to create a new Cloudtrail to enable global (Multi-region) CloudTrail logging: Via the Management Console 

1. Sign in to the AWS Management Console and open the Cloudtrail console at or search for cloudtrail on search bar

2. Click on Trails on the left navigation pane 

3. Click Add new trail (By default trial was set to Multi-region)


  1. Enter a trail name in the Trail name box 

  1. Specify an S3 bucket, you can use an existing bucket, or choose a new one. 

  1. Enable SSE-KMS encryption to encrypt log files, you can use existing CMK or you can create new. 

    4. Additional settings. You have an option to enable ‘Log File Validation’ to determine whether a log file was modified, deleted, or unchanged after AWS CloudTrail delivered it and also ‘SNS topic’ to get notifications.




5. Configure CloudWatch Logs to monitor your trail logs and notify you when specific activity occurs. Give the Log Group name and also attach the IAM role to it, you can create a new role or use an existing one.


Click ‘Next’


  1. Events, Choose the type of events that you want to log.        
  1. Management Events, make sure you allow read, write activities to log. 



Click ‘Next’



  1. Review and click create a trail.


You are done with creating a new Cloudtrail. 


Note: Creating CloudTrail via CLI without providing any overriding options configures Management Events to set All types of Read/Writes by default.


Impact: S3 lifecycle features can be used to manage the accumulation and management of logs over time. See the following AWS resource for more information on these features: 



Default Value: Not Enabled





CIS Controls:

6.2 Activate audit logging 

Ensure that local logging has been enabled on all systems and networking devices.