Class CcTrail

CloudKitect CloudTrail Component

Default Configuration

Removal Policy: Retain in Production

Default Alarms

None

Examples

Default Usage

new CcTrail(this, "LogicalId", {});
Copy

Custom Configuration

new CcTrail(this, "LogicalId", {
   bucket: CustomBucket
});
Copy

Compliance

It addresses the following compliance requirements

1. Logfile integrity validation

   • Risk Level: Medium
   • Compliance: CISAWSF, PCI, HIPAA, GDPR, APRA, MAS, NIST4
   • Well Architected Pillar: Security

2. Log all management events

   • Risk Level: Medium
   • Compliance: GDPR, APRA, MAS, NIST4
   • Well Architected Pillar: Security

3. Cloudtrail integrated with CloudWatch

   • Risk Level: Medium
   • Compliance: CISAWSF, PCI, GDPR, APRA, MAS, NIST4
   • Well Architected Pillar: Security

4. Insights must be enabled on management events

   • Risk Level: Medium
   • Compliance: NA
   • Well Architected Pillar: Operational Excellence

5. CloudTrail global services enabled

   • Risk Level: High
   • Compliance: PCI, GDPR, APRA, MAS, NIST4
   • Well Architected Pillar: Security

6. CloudTrail logs encrypted

   • Risk Level: Medium
   • Compliance: CISAWSF, PCI, GDPR, APRA, MAS, NIST4
   • Well Architected Pillar: Security

7. CloudTrail logs should be stored in S3 Bucket that meets regulatory requirements

   • Risk Level: Medium
   • Compliance: NIST4
   • Well Architected Pillar: Security

8. CloudTrail S3 Bucket Logging Enabled

   • Risk Level: High
   • Compliance: CISAWSF, PCI, GDPR, APRA, MAS, NIST4
   • Well Architected Pillar: Security

9. Publicly Accessible CloudTrail Buckets

   • Risk Level: Very High
   • Compliance: CISAWSF, PCI, GDPR, APRA, MAS, NIST4
   • Well Architected Pillar: Security

10. Object lock enabled on cloud trail buckets

    • Risk Level: Medium
    • Compliance: NA
    • Well Architected Pillar: Security

11. Trails are protected from accidental deletion in production

    • Risk Level: Medium
    • Compliance: NIST4
    • Well Architected Pillar: Operational Excellence