CIS AWS 3.1 (Ensure CloudTrail is enabled in all regions) requires: AWS CloudTrail must be enabled in all regions to capture API activity. This is a critical-severity control.

How does EchelonGraph detect CIS AWS 3.1 violations?

EchelonGraph automatically detects CIS AWS 3.1 violations using scanner rule AWS-LOG-001. The scanner checks cloud infrastructure configurations in real-time and flags non-compliant resources.

What audit questions are asked for CIS AWS 3.1?

Is CloudTrail configured as a multi-region trail? Is CloudTrail actively logging (not paused)? Are CloudTrail logs encrypted with CMK? Are CloudTrail logs validated for integrity?

🟠CIS AWS 3.1Rule: AWS-LOG-001critical

Ensure CloudTrail is enabled in all regions

Description

AWS CloudTrail must be enabled in all regions to capture API activity.

⚠️ Risk Impact

Without CloudTrail, API calls (resource creation, deletion, permission changes) are not logged. Attack activity cannot be investigated.

🔍 How EchelonGraph Detects This

AWS-LOG-001Automated scanner rule

EchelonGraph's Tier 1 Cloud Scanner automatically checks for this condition across all connected AWS accounts. Violations are flagged as critical-severity findings with remediation guidance.

🖥️ Manual Verification

terminal

aws cloudtrail describe-trails --query 'trailList[*].{Name:Name,IsMultiRegion:IsMultiRegionTrail,Status:IsLogging}'

🔧 Remediation

Create a multi-region trail: aws cloudtrail create-trail --name=main --is-multi-region-trail --s3-bucket-name=BUCKET

💀 Real-World Attack Scenario

An attacker compromised an IAM user in us-east-1 and immediately pivoted to eu-west-1 where no CloudTrail was configured. They created backdoor users, modified security groups, and exfiltrated data from RDS — all without any logging. The breach was discovered 6 months later during an unrelated audit.

💰 Cost of Non-Compliance

Multi-region CloudTrail gaps increase breach dwell time by 156%. Average cost: $6.2M vs $3.9M for organizations with complete logging. PCI DSS 10.1 requires logging of all system components — gaps result in immediate non-compliance.

📋 Audit Questions

1.Is CloudTrail configured as a multi-region trail?
2.Is CloudTrail actively logging (not paused)?
3.Are CloudTrail logs encrypted with CMK?
4.Are CloudTrail logs validated for integrity?

🎯 MITRE ATT&CK Mapping

T1562.008 — Disable Cloud LogsT1070 — Indicator Removal

🏗️ Infrastructure as Code Fix

main.tf

resource "aws_cloudtrail" "main" {
  name                       = "main-trail"
  s3_bucket_name             = aws_s3_bucket.trail.id
  is_multi_region_trail      = true
  enable_log_file_validation = true
  kms_key_id                 = aws_kms_key.trail.arn
}

⚡ Common Pitfalls

⛔Creating a single-region trail and assuming it covers all regions
⛔Not enabling log file validation (attackers can modify logs)
⛔CloudTrail being paused or deleted by cost-cutting automation

📈 Business Value

Multi-region CloudTrail is the foundation of AWS security. It enables incident investigation, compliance auditing, and threat detection. Without it, you're flying blind.

⏱️ Effort Estimate

Manual

1 hour to create and configure multi-region trail

With EchelonGraph

EchelonGraph verifies CloudTrail configuration across all regions

🔗 Cross-Framework References

SOC2-CC7.2ISO27001-A.12.4.1PCI-10.1HIPAA-164.312(b)

Automate CIS AWS 3.1 compliance

EchelonGraph continuously monitors this control across all your cloud accounts.

Start Free →