This CloudFormation template creates an S3 bucket and configures it with a CloudTrail trail to capture management events. It also sets up a bucket policy to allow CloudTrail to write logs to the bucket.

This CloudFormation template creates an S3 bucket and configures it with a CloudTrail organizations trail to capture management events across all accounts in the organization. It also sets up a bucket policy to allow CloudTrail to write logs to the bucket.

This CloudFormation template creates an S3 bucket and configures it with a CloudTrail trail to capture management events. It also sets up a bucket policy to allow CloudTrail to write logs to the bucket.

Creates a CloudTrail trail to log Lambda data events for all tables and store the logs in the specified S3 bucket.

Creates a CloudTrail trail to log DynamoDB data events for all tables and store the logs in the specified S3 bucket.

Creates a CloudTrail trail to log global S3 data events and store the logs in the specified S3 bucket.

This template creates a CloudTrail event data store that logs events in all regions. It enables multi-region support, ingestion of events, and sets a retention period of 30 days. It also supports organization-wide event logging if the AWS partition is not 'aws-cn'. The event data store is not protected from termination and uses a specified KMS key for encryption. It includes tags for identification and advanced event selectors to filter events based on event category.

This template creates a CloudTrail channel for a CloudTrail Lake integration with an event source outside of AWS. The channel is created with the specified name, source, destinations, and tags. The channel ARN is outputted.

This template creates a resource policy that allows a specific AWS account to call `PutAuditEvents` on a CloudTrail channel. The resource policy is attached to the CloudTrail channel specified by the resource ARN. The policy is defined using a JSON object.

This SCP prevents users or roles in any affected account from disabling a CloudTrail log, either directly as a command or through the console.

A CloudWatch Alarm that triggers when changes are made to CloudTrail.

Detect changes to CloudTrail configutation and publishes change events to an SNS topic for notification.

Checks whether AWS CloudTrail is enabled in your AWS account. Optionally, you can specify which S3 bucket, SNS topic, and Amazon CloudWatch Logs ARN to use.

Evaluates whether access logging is enabled on the CloudTrail S3 bucket and the S3 bucket is not publicly accessible.

A config rule that checks that there is at least one multi-region AWS CloudTrail. The rule is NON_COMPLIANT if the trails do not match inputs parameters.

A config rule that checks whether AWS CloudTrail trails are configured to send logs to Amazon CloudWatch Logs. The trail is NON_COMPLIANT if the CloudWatchLogsLogGroupArn property of the trail is empty.

A config rule that checks whether AWS CloudTrail is configured to use the server side encryption (SSE) AWS Key Management Service (AWS KMS) customer master key (CMK) encryption. The rule is COMPLIANT if the KmsKeyId is defined.

A config rule that checks whether AWS CloudTrail creates a signed digest file with logs. AWS recommends that the file validation must be enabled on all trails. The rule is NON_COMPLIANT if the validation is not enabled.

A config rule that that there is at least one AWS CloudTrail trail defined with security best practices. This rule is COMPLIANT if there is at least one trail that meets all of the following: records global service events, is a multi-region trail, has Log file validation enabled, encrypted with a KMS key, records events for reads and writes, records management events, and does not exclude any management events.