logo

Database

Json Yaml Is Multi Region False

Description

Detects CloudTrail trails in CloudFormation templates that are not configured for multi-region logging. This is a security risk as it may leave AWS API activity in other regions unmonitored, potentially missing unauthorized actions or security incidents.

Weakness:

400 - Traceability Loss - AWS

Category: Functionality Abuse

Detection Strategy

    Scan CloudFormation template files for AWS::CloudTrail::Trail resource definitions

    Check if the IsMultiRegionTrail property is explicitly set to false or is missing

    Report a vulnerability if the trail is not configured to monitor multiple regions

Vulnerable code example

Resources:
  myTrail:
    Type: AWS::CloudTrail::Trail
    Properties:
      IsLogging: true
      EnableLogFileValidation: false  # Vulnerable: Log file validation is disabled, allowing potential tampering
      IsMultiRegionTrail: false      # Vulnerable: Trail only monitors single region

✅ Secure code example

Resources:
  myTrail:
    Type: AWS::CloudTrail::Trail
    Properties:
      IsLogging: true
      EnableLogFileValidation: true    # Enable log validation to prevent tampering
      IsMultiRegionTrail: true         # Enable multi-region for comprehensive monitoring