Ensure logging for global services is enabled for AWS CloudTrail

MEDIUM

Description

Logging for global services is disabled for AWS CloudTrail. This may make audit process challenging.

Remediation

In AWS Console -

Sign in to the AWS Console and go to the CloudTrail dashboard.
In the left navigation panel, select Trails.
Under Name column, select the trail name that you need to examine.
Under Additional Configuration section, set the 'Include global services status' to 'Yes'.

In Terraform -

In the aws_cloudtrail resource, set the include_global_service_events field to true.

References:
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudtrail#include_global_service_events

Policy Details

Rule Reference ID: AC_AWS_0037

CSP: AWS

Remediation Available: Yes

Domain: Logging and Monitoring

Resource: aws_cloudtrail

Resource Category: Logging and Monitoring

Resource Type: CloudTrail

Frameworks

GDPR
HIPAA
NIST-800-171
NIST-800-53
NIST-CSF
PCI-DSSv3.2.1