CloudTrail is not integrated with CloudWatch Affecting CloudTrail service in AWS
Severity Framework
Snyk CCSS
Rule category
Logging / Audit
Is your enviroment affected by this misconfiguration?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsFrameworks
AWS-Well-Architected
CIS-AWS
CIS-Controls
HIPAA
NIST-800-53
PCI-DSS
SOC-2
- Snyk ID SNYK-CC-00003
- credit Snyk Research Team
Description
If a user configures CloudTrail to send log events to CloudWatch Logs, they can then create CloudWatch Logs metric filters to search for specific terms such as a user or resource, or create CloudWatch alarms to trigger based on thresholds or anomalous activity.
How to fix?
Configure the aws_cloudtrail cloud_watch_logs_group_arn or cloud_watch_logs_role_arn field.
Ensure that the aws_cloudtrail resource has a cloud_watch_logs_group_arn, and optionally, a cloud_watch_logs_role_arn if not using the default role ARN.
Example Configuration
resource "aws_cloudtrail" "example" {
cloud_watch_logs_group_arn = "${aws_cloudwatch_log_group.example.arn}:*"
# other required fields here
}