Visibility over activity in your Amazon Web Services (AWS) account is an important security and operational best practice. AWS CloudTrail helps you with the governance, compliance, and operational and risk auditing of your account.
To ensure that CloudTrail remains enabled in your account, AWS Config provides the cloudtrail-enabled managed rule. If CloudTrail is turned off, the cloudtrail-enabled rule automatically re-enables it by using automatic remediation.
However, you must make sure that you follow security best practices for CloudTrail if you use automatic remediation. These best practices include enabling CloudTrail in all AWS Regions, logging read and write workloads, enabling insights, and encrypting log files with server-side encryption using AWS Key Management Service (AWS KMS) managed keys (SSE-KMS).
This pattern helps you follow these security best practices by providing a custom remediation action to automatically re-enable CloudTrail in your account.
Important: We recommend using service control policies (SCPs) to prevent any tampering with CloudTrail. For more information about this, see the Prevent tampering with AWS CloudTrail section of How to use AWS Organizations to simplify security at enormous scale on the AWS Security Blog.
