Verify CloudTrail is logging management events across all AWS regions
Why this matters
CloudTrail is a foundational AWS service for auditing and forensic analysis. It records all API activity and user interactions with your AWS account. Without CloudTrail configured to cover all regions, malicious or accidental actions in unused or forgotten regions may go undetected.
Enabling a multi-region trail ensures:
Global service activity is captured
Management events like resource creation, updates, and deletions are logged
You meet audit and compliance requirements
Without this, a bad actor could perform actions in a region not monitored by CloudTrail.
What this check does
This check verifies that:
At least one multi-region CloudTrail trail is active
Management events are logged
Both read and write activities are captured
The check passes if all of the above conditions are true.
How to fix it
From the AWS Console
Sign in to the AWS CloudTrail Console
Click Trails in the left-hand menu
Click Add new trail (or Get started now, if no trails exist)
Enter a name for the trail
Make sure multi-region is enabled (default when created via console)
Set an S3 bucket to store logs
(Optional) Specify a KMS key for encryption
Under Management Events:
Make sure it's enabled
Select both Read and Write API activity
Click Create Trail
Using AWS CLI
# Create a new multi-region trail aws cloudtrail create-trail \ --name <trail-name> \ --bucket-name <your-s3-bucket> \ --is-multi-region-trail # Update an existing trail to be multi-region aws cloudtrail update-trail \ --name <trail-name> \ --is-multi-region-trail
When using CLI, read/write management events are enabled by default unless otherwise specified.
Exceptions
In rare cases, you may restrict logging to specific regions for performance or cost concerns. If so, document the rationale clearly and ensure compensating controls are in place (e.g., restricted region usage, dedicated monitoring).
Further Resources
CloudTrail Concepts β Management Events