Skip to content

Latest commit

 

History

History
45 lines (33 loc) · 1.11 KB

AWS063.md

File metadata and controls

45 lines (33 loc) · 1.11 KB

Pattern: Cloudtrail should be enabled in all regions regardless of where your AWS resources are generally homed

Issue: -

Description

When creating Cloudtrail in the AWS Management Console the trail is configured by default to be multi-region, this isn't the case with the Terraform resource. Cloudtrail should cover the full AWS account to ensure you can track changes in regions you are not actively operting in.

Resolution: Enable Cloudtrail in all regions.

Examples

Example of incorrect code:

resource "aws_cloudtrail" "bad_example" {
  event_selector {
    read_write_type           = "All"
    include_management_events = true

    data_resource {
      type = "AWS::S3::Object"
      values = ["${data.aws_s3_bucket.important-bucket.arn}/"]
    }
  }
}

Example of correct code:

resource "aws_cloudtrail" "good_example" {
  is_multi_region_trail = true

  event_selector {
    read_write_type           = "All"
    include_management_events = true

    data_resource {
      type = "AWS::S3::Object"
      values = ["${data.aws_s3_bucket.important-bucket.arn}/"]
    }
  }
}