This guide will help you resolve the issue where the “Storage audit logs enabled” monitor appears as non-compliant—even when audit logging is enabled in AWS CloudTrail.
📌 Note: If you only have one trail in AWS CloudTrail, ensure that it is not the default trail that is managed by AWS as we cannot collect any data for this trail due to the fact that it is not being managed by you.
🔍 Why This Happens
This monitor checks two specific configurations within your CloudTrail setup:
-
Data events must be enabled
-
The Data event type must be set to S3
Even if CloudTrail is active, if these two settings are missing or misconfigured, the monitor will show as non-compliant.
✅ What You Need to Do
Follow these steps to check and correct your CloudTrail configuration:
-
Open AWS CloudTrail
Log into your AWS Console and navigate to the CloudTrail section. -
Select Your Trail
Find and open the trail you are currently using for audit logging. -
Edit Data Events
-
Scroll to the “Data events” section.
-
Click “Edit” to update the configuration.
-
-
Enable Data Events
-
Make sure the checkbox 'Data events' is selected.
-
-
Set Event Type to S3
-
Under “Data event type”, confirm that it is set to S3.
-
If it's set to another service (e.g., Lambda), adjust it accordingly.
-
-
Save Changes
-
Select 'Save Changes' to apply the updated settings.
-
📌 Note: After updating the trail, the monitor may take a few minutes to reflect the new status. If it still shows as non-compliant after a while, double-check for typos or misassigned event types.