AiOpsOneAiOpsOne
Blog/AWS Security
AWS Security

Fix: CloudTrail Not Multi-Region or Missing Log File Validation

2026-06-24 2 min read

CloudTrail is your forensic record — and two findings around it are exactly what a CPS 234 auditor probes: it's not configured as a multi-region trail (CIS 3.1, Security Hub [CloudTrail.1]) and log file validation is off (CIS 3.2, [CloudTrail.4]). The first is a blind spot; the second means you can't prove your logs weren't altered.

Practitioner guidance, not legal or audit advice.

Create one multi-region, validated trail

You want a single organization-level trail covering every region, with validation and encryption on:

aws cloudtrail create-trail \
  --name org-trail \
  --s3-bucket-name <central-logging-bucket> \
  --is-multi-region-trail \
  --enable-log-file-validation \
  --kms-key-id <kms-key-arn>

aws cloudtrail start-logging --name org-trail

The flags that close the findings:

  • --is-multi-region-trail — captures activity in every region, including the ones you forgot you had. ([CloudTrail.1])
  • --enable-log-file-validation — produces signed digest files so you can prove logs weren't tampered with. ([CloudTrail.4])
  • --kms-key-id — encrypts the logs at rest. ([CloudTrail.2])

Do it once, at the org level

Create the trail in your management/log-archive account as an organization trail so every member account is covered automatically and member accounts can't disable it. Account-by-account trails are how gaps creep in.

Protect the log bucket

The logging bucket itself must not be public ([CloudTrail.6]) and should have Object Lock / versioning so logs are immutable — that immutability is part of what proves tamper-resistance to an auditor.

Keep it fixed

Config rules multi-region-cloud-trail-enabled, cloud-trail-log-file-validation-enabled, and cloud-trail-encryption-enabled flag any regression.

Why it matters for CPS 234

This is Forensic Readiness — CPS 234 Para 25–26 (logging to support detection and response). The specific evidence an auditor asks for is the log file validation digest plus the bucket's Object Lock config — covered in the evidence post. You need this before an incident; you can't investigate with logs you didn't keep or can't trust.

Primary sources: Security Hub CloudTrail controls · CIS in Security Hub

Get the CPS 234 → AWS Controls cheatsheet

A practitioner mapping of every APRA CPS 234 control to the real AWS services that satisfy it. Free — straight to your inbox.

No spam. Unsubscribe anytime. See our privacy policy.

Back to all posts