HomeGuidesChangelog
Guides

CloudTrail

Suggest Edits

AWS CloudTrail

Overview

AWS CloudTrail integration - regscale aws sync_cloudtrail - assesses audit and accountability controls (AU-2, AU-3, AU-6, AU-9, AU-11, AU-12, SI-4).

Command Syntax

regscale aws sync_cloudtrail [OPTIONS]

Basic Usage

# Sync all CloudTrail trails with evidence
regscale aws sync_cloudtrail --regscale-id 123 --create-evidence

# Filter by trail name
regscale aws sync_cloudtrail \
  --regscale-id 123 \
  --trail-name-filter org-trail \
  --create-evidence \
  --evidence-control-ids AU-2,AU-3,AU-9

# Filter by tags
regscale aws sync_cloudtrail \
  --regscale-id 123 \
  --tags Compliance=Required \
  --create-evidence

Evidence Collection Options

OptionDescriptionDefault
--create-evidenceEnable evidence collectionFalse
--create-ssp-attachmentCreate evidence as SSP attachment (default: True)
--evidence-control-idsComma-separated list of control IDs (e.g., 'AU-2,AU-3,AU-6,AU-9,AU-11,AU-12,SI-4')All controls
--evidence-frequencyEvidence update frequency in days30

Collect Evidence for Specific Controls

regscale aws sync_cloudtrail --regscale-id 123 \
    --create-evidence \
    --evidence-control-ids AU-2,AU-3,AU-6,AU-9

Filter by Trail Name

Filter CloudTrail trails by name prefix:

regscale aws sync_cloudtrail --regscale-id 123 \
    --trail-name-filter org-trail \
    --create-evidence

NIST 800-53 Controls Assessed

  • AU-2: Audit Events
  • AU-3: Content of Audit Records
  • AU-6: Audit Record Review, Analysis, and Reporting
  • AU-9: Protection of Audit Information
  • AU-11: Audit Record Retention
  • AU-12: Audit Record Generation
  • SI-4: System Monitoring

What Gets Created in RegScale

  • Control Assessments: AU family controls
  • Evidence: Trail configs, multi-region status, log validation, CloudWatch integration
  • Issues: No log validation, not multi-region, no CloudWatch Logs

Common Use Cases

# FedRAMP audit logging assessment
regscale aws sync_cloudtrail \
  --regscale-id 123 \
  --create-evidence \
  --evidence-control-ids AU-2,AU-3,AU-6,AU-9,AU-11,AU-12 \
  --tags ATO=FedRAMP \
  --create-issues \
  --create-poams

Updated 3 days ago