No CloudTrail Trail Defined
cloudtrail-logging-disabled
What this rule checks
Flags stacks that define no CloudTrail Trail. CloudTrail is usually configured once at the account or organization level โ suppress this rule if account-level logging is already in place.
How to fix it
- 1Add an account- or organization-level CloudTrail Trail
- 2Enable multi-region trails and log file validation
- 3If account-level CloudTrail already exists, suppress this rule
import { aws_s3 as s3 } from 'aws-cdk-lib';
// No CloudTrail trail anywhere in the stack: API activity goes unrecorded.
new s3.Bucket(this, 'DataBucket', { enforceSSL: true });import { aws_cloudtrail as cloudtrail } from 'aws-cdk-lib';
new cloudtrail.Trail(this, 'Trail', {
isMultiRegionTrail: true,
enableFileValidation: true,
});CDK Insights pinpoints the exact file and line in your CDK source for every finding, so you can jump straight to the fix.
Affected resource types
AWS::CloudTrail::TrailIntentional? Suppress this finding
Sometimes a flag is deliberate โ a genuinely public endpoint, say. You can dismiss cloudtrail-logging-disabled and the reason is kept in the report, not silently hidden.
In .cdk-insights.json:
{
"ignoreRules": [
{ "id": "cloudtrail-logging-disabled", "reason": "Why this is intentional" }
]
}Or inline in your CDK code:
Validations.of(scope).acknowledge({
id: 'cdk-insights::cloudtrail-logging-disabled',
reason: 'Why this is intentional',
});Use the rule ID cloudtrail-logging-disabled shown above โ not the CDK-* ID from SARIF / GitHub code scanning. To dismiss every finding on one construct instead, use ignorePaths. Suppression docs โ
Catch this in your stack
$ npx cdk-insights scanCDK Insights runs this and 118+ other rules locally against your synthesised CDK app โ free, no account, your code never leaves your machine.