AWS CloudTrail Is Not Enabled In All Regions

Checks to ensure that CloudTrail is enabled across all regions. AWS CloudTrail is a service that enables governance, compliance, operational & risk auditing of the AWS account. It is a compliance and security best practice to turn on CloudTrail across different regions to get a complete audit trail of activities across various services.

Policy Details

Policy Subtype
Run, Build
Template Type

Build Rules

AWS CloudTrail is not enabled in all regions.
JSON Query:
$.Resources.*[?(@.Type=='AWS::CloudTrail::Trail')].Properties.IsMultiRegionTrail any null or $.Resources.*[?(@.Type=='AWS::CloudTrail::Trail')].Properties.IsMultiRegionTrail anyFalse
Recommended solution for AWS CloudTrail is enabled in all regions.
It is recommended that CloudTrail logs are enabled in all regions. Please make sure your template has "IsMultiRegionTrail" set to True.
For example:

Run Rule Recommendation

  1. Login to AWS Console and navigate to the 'CloudTrail' service.
  2. If there are no CloudTrails in the account, create a new trail and select 'Yes' to 'Apply trail to all regions' setting.
  3. If the CloudTrail already exists for the account, make sure that under configuration > Trail Settings, 'Apply trail to all regions' is set to Yes.
Remediation CLI Command:
aws cloudtrail update-trail --name ${resourceName} --region ${region} --include-global-service-events --is-multi-region-trail
CLI Command Description:
This CLI command requires 'cloudtrail:UpdateTrail' permission. Successful execution will enable the CloudTrail in all regions.


There are 13 standards that are applicable to this policy:
  • HITRUST CSF v9.3
  • CIS v1.2.0 (AWS)
  • ISO 27001:2013
  • NIST 800-171 Rev1
  • GDPR
  • MITRE ATT&CK [Beta]
  • NIST 800-53 Rev4
  • SOC 2
  • PCI DSS v3.2
  • CCPA 2018

Recommended For You