Skip to main content
emnode / learn
Compliance High severity

AWS Security Hub · CloudTrail

CloudTrail.3: No CloudTrail trail is enabled at all

Written and reviewed by Emnode · Last reviewed

What does AWS Security Hub CloudTrail.3 check?

CloudTrail.3 fails when the account has no enabled CloudTrail trail at all.

Why does CloudTrail.3 matter?

With logging entirely off, there is no record of who did what — every other detective and compliance control is blind, and an incident becomes unauditable. This is one of the most fundamental gaps Security Hub can report; almost nothing else can be trusted until it is closed.

How do I fix CloudTrail.3?

  1. Create at least one trail (ideally multi-Region, see CloudTrail.1) and confirm it is logging.
  2. Send events to a dedicated, locked-down S3 bucket and optionally to CloudWatch Logs for alerting.
  3. Turn on log file validation so tampering is detectable.

Remediation script · bash

# Create one multi-Region trail that satisfies the whole CloudTrail family.
aws cloudtrail create-trail \
  --name org-audit-trail \
  --s3-bucket-name my-cloudtrail-logs-bucket \
  --is-multi-region-trail \
  --include-global-service-events \
  --enable-log-file-validation \
  --cloud-watch-logs-log-group-arn arn:aws:logs:us-east-1:111122223333:log-group:/aws/cloudtrail/org:* \
  --cloud-watch-logs-role-arn arn:aws:iam::111122223333:role/CloudTrail_CloudWatchLogs_Role

# Capture read AND write management events (not data events, which are billed per event).
aws cloudtrail put-event-selectors --trail-name org-audit-trail \
  --event-selectors ReadWriteType=All,IncludeManagementEvents=true

# Defining the trail does not record anything: start it, then verify it is logging.
aws cloudtrail start-logging --name org-audit-trail
aws cloudtrail get-trail-status --name org-audit-trail --query IsLogging --output text

# For org-wide coverage, recreate with --is-organization-trail from the management
# or delegated-admin account so every member account inherits it automatically.

Full walkthrough (console steps, edge cases and verification) in the lesson Enable CloudTrail and API activity logging.

Full lesson Enable CloudTrail and API activity logging Step-by-step remediation with CLI, code and persona-specific context.
AWS documentation for CloudTrail controls ↗ Check your own account for CloudTrail.3 →
Part of the learning path See what's happening

More CloudTrail controls

  • CloudTrail.1 No multi-Region trail captures read/write management events
  • CloudTrail.2 CloudTrail logs are not KMS-encrypted
  • CloudTrail.4 CloudTrail log file validation should be enabled
  • CloudTrail.5 CloudTrail is not wired to CloudWatch for alerting
  • CloudTrail.6 The CloudTrail log bucket is publicly accessible
  • CloudTrail.7 Enable access logging on the CloudTrail S3 bucket
  • CloudTrail.10 CloudTrail Lake stores should use customer-managed KMS