CloudTrail trails should have CloudWatch log integration enabled


It is recommended that users configure CloudTrail to send log events to CloudWatch Logs. Users can then create CloudWatch Logs metric filters to search for specific terms such as a user or resource, or create CloudWatch alarms to trigger based on thresholds or anomalous activity.

Console Remediation Steps

  • Navigate to CloudTrail.

  • Click View trails.

  • Edit the CloudTrail trails to have CloudWatch log integration enabled as described here.

CLI Remediation Steps

  • Enable CloudWatch Log Integration for CloudTrail:

    • aws cloudtrail update-trail --name <trail_name> --cloudwatch-logs-log-group-arn <cloudtrail_log_group_arn> --cloudwatch-logs-role-arn <cloudtrail_cloudwatchLogs_role_arn>