Ensure CloudTrail is enabled in all regions

NOTE: In case you have a multi-region Trail, make sure it is created in one of the selected regions. Otherwise, add the region with the Trail

Perform the following to enable global (Multi-region) CloudTrail logging: Via the management Console

1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/cloudtrail
2. Click on Trails on the left navigation pane
3. Click Get Started Now, if presented

• Click Add new trail
• Enter a trail name in the Trail name box
• Set the Apply trail to all regions option to Yes
• Specify an S3 bucket name in the S3 bucket box
• Click Create

1. If 1 or more trails already exist, select the target trail to enable for global logging
2. Click the edit icon (pencil) next to Apply trail to all regions, Click Yes and Click Save.
3. Click the edit icon (pencil) next to Management Events click All for setting Read/Write Events and Click Save.

Via CLI

aws cloudtrail create-trail --name <trail_name> --bucket-name <s3_bucket_for_cloudtrail> --is-multi-region-trail
aws cloudtrail update-trail --name <trail_name> --is-multi-region-trail
    

Note: Creating CloudTrail via CLI without providing any overriding options configures Management Events to set All type of Read/Writes by default.

Impact S3 lifecycle features can be used to manage the accumulation and management of logs over time. See the following AWS resource for more information on these features:

1. http://docs.aws.amazon.com/AmazonS3/latest/dev/object-lifecycle-mgmt.html

Default Value

Not Enabled

References

1. CCE-78913-1
2. CIS CSC v6.0 #14.6
3. https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-concepts.html#cloudtrail-concepts-management-events
4. https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-management-and-data-events-with-cloudtrail.html?icmpid=docs_cloudtrail_console#logging-management-events
5. https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-supported-services.html#cloud-trail-supported-services-data-events

Multiple Remediation Paths

AWS

SERVICE-WIDE (RECOMMENDED when many resources are affected): Deploy centralized guardrails and remediation using AWS Config Conformance Packs and (if applicable) AWS Organizations SCPs.

aws configservice put-organization-conformance-pack --organization-conformance-pack-name <pack-name> --template-s3-uri s3://<bucket>/<template>.yaml

ASSET-LEVEL: Apply the resource-specific remediation steps above to only the affected assets.

PREVENTIVE: Add CI/CD policy checks (CloudFormation/Terraform validation) before deployment to prevent recurrence.

References for Service-Wide Patterns

• AWS Config Conformance Packs: https://docs.aws.amazon.com/config/latest/developerguide/conformance-packs.html
• AWS Organizations SCP examples: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_examples.html

Operational Rollout Workflow

Use this sequence to reduce risk and avoid repeated drift.

1. Contain at Service-Wide Scope First (Recommended)

• AWS: deploy/adjust organization conformance packs and policy guardrails.

aws configservice put-organization-conformance-pack --organization-conformance-pack-name <pack-name> --template-s3-uri s3://<bucket>/<template>.yaml

2. Remediate Existing Affected Assets

• Execute the control-specific Console/CLI steps documented above for each flagged resource.
• Prioritize internet-exposed and production assets first.

3. Validate and Prevent Recurrence

• Re-scan after each remediation batch.
• Track exceptions with owner and expiry date.
• Add preventive checks in IaC/CI pipelines.