CloudTrail Rules
These rules catch redundant CloudTrail trail configurations that generate duplicate event charges without adding audit coverage.
| Rule ID | Scan Type | Name |
|---|---|---|
| CLDBRN-AWS-CLOUDTRAIL-1 | Discovery | CloudTrail Redundant Global Trails |
| CLDBRN-AWS-CLOUDTRAIL-2 | Discovery | CloudTrail Redundant Regional Trails |
CLDBRN-AWS-CLOUDTRAIL-1
CloudTrail Redundant Global Trails
Scan type: Discovery
What it checks
Flags multi-region CloudTrail trails when an account has more than one trail configured to cover all regions. A single multi-region trail is sufficient for account-wide audit coverage; additional multi-region trails record the same events and incur duplicate charges.
Why it matters
CloudTrail charges $2 per 100,000 management events after the first free copy. Each additional multi-region trail processes the full event volume across every region, so one redundant trail can easily double your CloudTrail spend.
What triggers a finding
The account has more than one multi-region trail enabled. CloudBurn keeps the trail with the lowest ARN (alphabetically first) and flags all others.
How to remediate
Delete all but one multi-region trail per account. Verify the trail you keep has delivery to an S3 bucket configured correctly before deleting the others.
CLDBRN-AWS-CLOUDTRAIL-2
CloudTrail Redundant Regional Trails
Scan type: Discovery
What it checks
Flags single-region CloudTrail trails when more than one trail covers the same region in the same account. A single trail per region captures all regional events; additional trails produce identical records at additional cost.
Why it matters
Per-trail event charges apply regardless of whether another trail already covers the same region. Multiple regional trails for the same region multiply costs with no audit benefit.
What triggers a finding
The account has more than one single-region trail enabled for the same region. CloudBurn flags duplicates beyond the first trail per region.
How to remediate
Delete all but one single-region trail per region. If you need both multi-region and regional coverage, use the multi-region trail and remove the redundant regional one.
See Also
- CLI discover command — scan live CloudTrail resources
- SDK Reference — run discovery programmatically