Exposure Scanner Scan My Account
Exposure Scanner / AWS CloudTrail

CloudTrail Logging Gaps

Are your CloudTrail logs properly configured to detect exposure?

What this looks like in the scanner
securecompass.io/public-exposure-scanner
Critical
prod-audit-trail
CloudTrail trail has stopped logging - LatestDeliveryError indicates S3 bucket access denied
High
default-trail
CloudTrail is not configured as multi-region - API activity in us-west-2 and eu-west-1 is not recorded
Medium
org-management-trail
CloudTrail log file integrity validation is disabled - log tampering cannot be detected

What does AWS CloudTrail public exposure mean?

CloudTrail is your audit trail for AWS API activity. Missing or misconfigured trails mean you can't detect when resources are made public, when unauthorized access occurs, or when security configurations change.

Why it matters

Without comprehensive CloudTrail logging, public exposures go undetected. You can't investigate incidents, demonstrate compliance, or detect configuration drift that introduces new exposures.

How to check manually

  1. 1Verify CloudTrail is enabled in all regions
  2. 2Check that management events and data events are being recorded
  3. 3Verify CloudTrail logs are stored in an encrypted, access-controlled S3 bucket
  4. 4Confirm log file validation is enabled to detect tampering

Quick check with AWS CLI

List all CloudTrail trails and their status
aws cloudtrail describe-trails --query "trailList[].{Name:Name,S3Bucket:S3BucketName,IsMultiRegion:IsMultiRegionTrail,LogValidation:LogFileValidationEnabled}"
Check if a trail is logging and recording events
aws cloudtrail get-trail-status --name YOUR_TRAIL_NAME --query "{IsLogging:IsLogging,LatestDeliveryTime:LatestDeliveryTime,LatestDeliveryError:LatestDeliveryError}"
Check event selectors for data event coverage
aws cloudtrail get-event-selectors --trail-name YOUR_TRAIL_NAME --query "EventSelectors[].{ReadWriteType:ReadWriteType,DataResources:DataResources}"

Common misconfigurations

CloudTrail not enabled in all regions
Data events not recorded for S3 and Lambda
Trail log bucket with public access
Log file integrity validation disabled

Check all 22 resource types at once

Instead of checking each service manually, scan your entire AWS account and see every public exposure ranked by risk.

Scan My Account

Related exposure types

Amazon S3
Are your S3 buckets accessible from the internet?
AWS IAM
Are your IAM policies granting access more broadly than intended?
Amazon CloudWatch
Are your CloudWatch dashboards or log data accessible to unauthorized users?