Skip to main content
emnode / learn
Compliance Medium severity

AWS Security Hub · CloudTrail

CloudTrail.5: CloudTrail is not wired to CloudWatch for alerting

Written and reviewed by Emnode · Last reviewed

What does AWS Security Hub CloudTrail.5 check?

CloudTrail.5 fails when a trail is not integrated with CloudWatch Logs. The control checks for a CloudWatch Logs log group configured as a delivery destination on the trail.

Why does CloudTrail.5 matter?

CloudTrail's default S3 delivery is great for retention but useless for real-time alerting — you can't put a metric filter or alarm on an S3 object. When Capital One was breached in 2019, CloudTrail logged every malicious call from minute one, but with nothing watching it took an external researcher's email four months later to surface the breach. Wiring the trail into CloudWatch Logs is what lets you alarm on events as they happen.

How do I fix CloudTrail.5?

  1. Create a CloudWatch Logs log group and the IAM role CloudTrail uses to write to it.
  2. Set the CloudWatch Logs log group ARN and role on the trail via update-trail.
  3. Add metric filters and alarms on high-signal events (root sign-in, IAM policy changes, security-group edits).

Remediation script · bash

# Create one multi-Region trail that satisfies the whole CloudTrail family.
aws cloudtrail create-trail \
  --name org-audit-trail \
  --s3-bucket-name my-cloudtrail-logs-bucket \
  --is-multi-region-trail \
  --include-global-service-events \
  --enable-log-file-validation \
  --cloud-watch-logs-log-group-arn arn:aws:logs:us-east-1:111122223333:log-group:/aws/cloudtrail/org:* \
  --cloud-watch-logs-role-arn arn:aws:iam::111122223333:role/CloudTrail_CloudWatchLogs_Role

# Capture read AND write management events (not data events, which are billed per event).
aws cloudtrail put-event-selectors --trail-name org-audit-trail \
  --event-selectors ReadWriteType=All,IncludeManagementEvents=true

# Defining the trail does not record anything: start it, then verify it is logging.
aws cloudtrail start-logging --name org-audit-trail
aws cloudtrail get-trail-status --name org-audit-trail --query IsLogging --output text

# For org-wide coverage, recreate with --is-organization-trail from the management
# or delegated-admin account so every member account inherits it automatically.

Full walkthrough (console steps, edge cases and verification) in the lesson Enable CloudTrail and API activity logging.

Full lesson Enable CloudTrail and API activity logging Step-by-step remediation with CLI, code and persona-specific context.
AWS documentation for CloudTrail controls ↗ Check your own account for CloudTrail.5 →
Part of the learning path See what's happening

More CloudTrail controls

  • CloudTrail.1 No multi-Region trail captures read/write management events
  • CloudTrail.2 CloudTrail logs are not KMS-encrypted
  • CloudTrail.3 No CloudTrail trail is enabled at all
  • CloudTrail.4 CloudTrail log file validation should be enabled
  • CloudTrail.6 The CloudTrail log bucket is publicly accessible
  • CloudTrail.7 Enable access logging on the CloudTrail S3 bucket
  • CloudTrail.10 CloudTrail Lake stores should use customer-managed KMS