Help Center
Go back to application
Help Center
Go back to application
Platform Terms Glossary
Task Management
Task Management explained Creating Tasks Setting up Task NotificationsGiving permissions to team members
Organization
Working together in KertosInviting UsersCreating rolesAssigning System AccessCreating Departments and Assigning Users
Integrations
Discovery
Tasks
Device Management
Human Resource Information Systems
Inventory
Inventorization of vendorsInventorization of systemsInventorization of assetsEU AI Act: Inventorization of AI use cases
Risks
Managing risksApplying controls to risks
Trust Center
Setting up your trust center
Incidents
Reporting incidents
KAIA
KAIA explainedPrinciples of AI at Kertos
Interacting with KAIA
Compliance
Frameworks explainedManaging & implementing controlsCreating & managing policiesCompleting & assigning trainings
Privacy Management
Creating a RoPACreating TOMsCreating DPIAs
Data Subject Requests
API Reference
Ingress API Docs for DSRs Webhook API Docs for DSRs
Auto Checks
Auto Checks explained
Auto Checks Detailed Explanation
Enforce MFA on the AWS Root AccountVerify CloudTrail is logging management events across all AWS regionsEnsure no IAM AWS-managed policies grant full administrative accessConfirm that Amazon GuardDuty is enabled for threat detectionEnsure the root account does not have any active access keysConfirm IAM Access Analyzer is enabled to monitor access permissionsConfigure a log metric filter and alarm for unauthorized API callsConfigure a log metric filter and alarm for root account usageEnsure customer-managed IAM policies do not grant full administrative accessPrevent IAM identities from having inline policies with unrestricted accessMaintain accurate and up-to-date AWS account contact informationRegister a valid security contact in the AWS account settingsBlock IAM Inline Policies That Enable Privilege EscalationPrevent IAM Inline Policies from Granting Full CloudTrail AccessAvoid Full KMS Access in Inline IAM PoliciesPrevent Overly Permissive Role Assumption in Custom IAM PoliciesPrevent Privilege Escalation via Customer-Managed IAM PoliciesAvoid IAM Policies Granting Full CloudTrail AccessAvoid IAM Policies Granting Unrestricted KMS AccessPrevent IAM Roles from Assigning ReadOnlyAccess Permissions to External AWS AccountsProtect IAM Service Roles from Confused Deputy Attacks Using Proper Trust PoliciesAvoid Provisioning Access Keys During Initial IAM User Creation When Console Login is EnabledDetect IAM Users with Multiple Active Access Keys and Enforce Key Rotation

Verify CloudTrail is logging management events across all AWS regions

Framework Reference: A.8.15 (Logging) Integration: AWS – CloudTrail

Why this matters

CloudTrail is a foundational AWS service for auditing and forensic analysis. It records all API activity and user interactions with your AWS account. Without CloudTrail configured to cover all regions, malicious or accidental actions in unused or forgotten regions may go undetected.

Enabling a multi-region trail ensures:

Global service activity is captured

Management events like resource creation, updates, and deletions are logged

You meet audit and compliance requirements

Without this, a bad actor could perform actions in a region not monitored by CloudTrail.

What this check does

This check verifies that:

At least one multi-region CloudTrail trail is active

Management events are logged

Both read and write activities are captured

The check passes if all of the above conditions are true.

How to fix it

From the AWS Console

Sign in to the AWS CloudTrail Console

Click Trails in the left-hand menu

Click Add new trail (or Get started now, if no trails exist)

Enter a name for the trail

Make sure multi-region is enabled (default when created via console)

Set an S3 bucket to store logs

(Optional) Specify a KMS key for encryption

Under Management Events:

Make sure it's enabled

Select both Read and Write API activity

Click Create Trail

Using AWS CLI

# Create a new multi-region trail aws cloudtrail create-trail \  --name <trail-name> \  --bucket-name <your-s3-bucket> \  --is-multi-region-trail # Update an existing trail to be multi-region aws cloudtrail update-trail \  --name <trail-name> \  --is-multi-region-trail

When using CLI, read/write management events are enabled by default unless otherwise specified.

Exceptions

In rare cases, you may restrict logging to specific regions for performance or cost concerns. If so, document the rationale clearly and ensure compensating controls are in place (e.g., restricted region usage, dedicated monitoring).

Further Resources

CloudTrail Concepts – Management Events

Enable Logging of Management Events

Supported Services for Data Events

Was this article helpful?

Powered by Product Fruits