Skip to content

Files

Latest commit

 

History

History
45 lines (33 loc) · 1.1 KB

aws-cloudtrail-enable-all-regions.md

File metadata and controls

45 lines (33 loc) · 1.1 KB

Pattern: Missing use of multi-region AWS CloudTrail

Issue: -

Description

When creating CloudTrail in the AWS Management Console the trail is configured by default to be multi-region, this isn't the case with the Terraform resource. CloudTrail should cover the full AWS account to ensure you can track changes in regions you are not actively operating in.

Resolution: Enable CloudTrail in all regions.

Examples

Example of incorrect code:

resource "aws_cloudtrail" "bad_example" {
  event_selector {
    read_write_type           = "All"
    include_management_events = true

    data_resource {
      type = "AWS::S3::Object"
      values = ["${data.aws_s3_bucket.important-bucket.arn}/"]
    }
  }
}

Example of correct code:

resource "aws_cloudtrail" "good_example" {
  is_multi_region_trail = true

  event_selector {
    read_write_type           = "All"
    include_management_events = true

    data_resource {
      type = "AWS::S3::Object"
      values = ["${data.aws_s3_bucket.important-bucket.arn}/"]
    }
  }
}