Aws Cloudtrail Multi Region

✓ Guardrail Terraform Guardrails Beta Deployment And Infrastructure

terraform.aws-cloudtrail-multi-region

Requires a multi-region CloudTrail trail that delivers events to CloudWatch Logs, so API activity is captured across every region and available for monitoring and alerting.

cloudtrail multi-region cloudwatch audit log aws api soc2

Get Started View All Terraform Guardrails

Compatible Integrations

This guardrail works with the following integrations. Click to see how to use Aws Cloudtrail Multi Region with each collector.

Aws Cloudtrail Multi Region + Terraform Collector Provides parsed Terraform HCL data

→

Enable This Guardrail

Add the parent policy to your lunar-config.yml to enable this guardrail.

📄 lunar-config.yml

policies:
  - uses: github://earthly/lunar-lib/policies/terraform@v1.0.5
    include: [aws-cloudtrail-multi-region]
    # with: ...

How This Guardrail Works

This guardrail is part of the Terraform Guardrails policy. It evaluates data collected by integrations and produces a pass/fail check with actionable feedback.

When enabled, this check runs automatically on every PR and in AI coding workflows, providing real-time enforcement of your engineering standards.

Learn How Lunar Works →

↓ Integrations Gather Data

Collectors extract metadata from code, CI pipelines, tool outputs, and scans

{ } Centralized as JSON

All data merged into each component's unified metadata document

✓ This Guardrail Checks Current

Aws Cloudtrail Multi Region runs and provides pass/fail feedback

Configuration Options

These inputs can be configured in your lunar-config.yml to customize how the parent policy (and this guardrail) behaves.

Input	Required	Default	Description
`required_backend_types`	Required	—	Comma-separated list of approved backend types (empty = any remote backend)
`min_provider_versions`	Optional	`{}`	JSON object mapping provider names to minimum versions (e.g., {"aws": "5.0", "random": "3.0"})
`ssh_port`	Optional	`22`	TCP port treated as SSH for the public-ingress check
`postgres_port`	Optional	`5432`	TCP port treated as PostgreSQL for the public-ingress check
`eks_required_log_types`	Optional	`api,audit,authenticator,controllerManager,scheduler`	Comma-separated EKS control-plane log types that must be enabled
`require_cloudtrail_cloudwatch`	Optional	`true`	Whether CloudTrail must also deliver logs to CloudWatch Logs (true/false)
`extra_admin_ports`	Required	—	Additional comma-separated TCP ports to treat as sensitive for the public admin-ports check
`min_password_length`	Optional	`14`	Minimum IAM account password length required by aws-iam-password-min-length

Terraform Guardrails

This guardrail is part of the Terraform Guardrails policy, which includes 33 guardrails for deployment and infrastructure.

View Policy

Ready to Automate Your Standards?

See how Lunar can turn your AGENTS.md, engineering wiki, compliance docs, or postmortem action items into automated guardrails with our 200+ built-in guardrails.

Works with any process

AI agent rules & prompt files

Post-mortem action items

Security & compliance policies

Testing & quality requirements

Automate Now

Paste your AGENTS.md or manual process doc and get guardrails in minutes

Book a Demo