Ensure that CloudTrail trails are integrated with CloudWatch Logs

AWS CloudTrail is a web service that records AWS API calls made in a given AWS account. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. CloudTrail uses Amazon S3 for log file storage and delivery, so log files are stored durably. In addition to capturing CloudTrail logs within a specified S3 bucket for long term analysis, real time analysis can be performed by configuring CloudTrail to send logs to CloudWatch Logs. For a trail that is enabled in all regions in an account, CloudTrail sends log files from all those regions to a CloudWatch Logs log group. It is recommended that CloudTrail logs be sent to CloudWatch Logs.

Risk Level: Low
Cloud Entity: CloudTrail
CloudGuard Rule ID: D9.AWS.LOG.03
Category: Management Tools


CloudTrail should have cloudWatchLogsRoleArn and status.latestCloudWatchLogsDeliveryTime after (-1, 'days')


From Portal

  1. Open the CloudTrail console at https://console.aws.amazon.com/cloudtrail/.
  2. Choose the trail name. If you choose a trail that applies to all regions, you will be redirected to the region in which the trail was created.
    You can create a log group or choose an existing log group in the same region as the trail.
    Note: A trail that applies to all regions sends log files from all regions to the CloudWatch Logs log group that you specify.
  3. For CloudWatch Logs, choose Edit.
  4. For New or existing log group, type the log group name , and then choose Continue.
  5. For the IAM role, choose an existing role or create one. If you create an IAM role, type a role name.
  6. Choose Save changes.

From TF

resource "aws_cloudwatch_log_group" "example_log_group" {

resource "aws_cloudtrail" "example_cloudtrail" {
cloud_watch_logs_group_arn = "${aws_cloudwatch_log_group.example_log_group.arn}:*" # CloudTrail requires the Log Stream wildcard

From Command Line
To update the CloudTrail to add CloudWatch logs, run:

aws cloudtrail update-trail --name TRAIL-NAME --cloud-watch-logs-log-group-arn LOG-GROUP-ARN --cloud-watch-logs-role-arn ROLE-ARN


  1. https://docs.aws.amazon.com/cli/latest/reference/cloudtrail/update-trail.html
  2. https://docs.aws.amazon.com/awscloudtrail/latest/userguide/send-cloudtrail-events-to-cloudwatch-logs.html#send-cloudtrail-events-to-cloudwatch-logs-console
  3. https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudtrail


AWS CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS account. With CloudTrail, you can log, continuously monitor, and retain account activity related to actions across your AWS infrastructure. CloudTrail provides event history of your AWS account activity, including actions taken through the AWS Management Console, AWS SDKs, command line tools, and other AWS services. This event history simplifies security analysis, resource change tracking, and troubleshooting.

Compliance Frameworks

  • AWS CCPA Framework
  • AWS CIS Foundations v. 1.1.0
  • AWS CIS Foundations v. 1.2.0
  • AWS CIS Foundations v. 1.3.0
  • AWS CIS Foundations v. 1.4.0
  • AWS CIS Foundations v. 1.5.0
  • AWS CSA CCM v.3.0.1
  • AWS CloudGuard Best Practices
  • AWS CloudGuard SOC2 based on AICPA TSC 2017
  • AWS CloudGuard Well Architected Framework
  • AWS GDPR Readiness
  • AWS HITRUST v11.0.0
  • AWS ISO 27001:2013
  • AWS ITSG-33
  • AWS LGPD regulation
  • AWS MAS TRM Framework
  • AWS MITRE ATT&CK Framework v10
  • AWS MITRE ATT&CK Framework v11.3
  • AWS NIST 800-171
  • AWS NIST 800-53 Rev 4
  • AWS NIST 800-53 Rev 5
  • AWS NIST CSF v1.1
  • AWS PCI-DSS 3.2
  • AWS PCI-DSS 4.0