The finding "Management Events Logging Disabled" flags any CloudTrail Trails that do not have management event logging enabled. That's not a very useful thing to check: it's perfectly valid to have multiple Trails in a region and there's no need to log management events in more than one of them. A better thing to check would be for regions that don't have at least one Trail that logs management events.
Note that management events can be split into read and write; we need to make sure that both are covered. There are also settings to exclude "KMS events" and "RDS Data API events"; we also need to make sure that at least one Trail has those disabled. So the check can't be as simple as "ensure that at least one Trail has management event logging enabled"; we need to make sure that at least one Trail in the region has each of the following:
Describe the bug
The finding "Management Events Logging Disabled" flags any CloudTrail Trails that do not have management event logging enabled. That's not a very useful thing to check: it's perfectly valid to have multiple Trails in a region and there's no need to log management events in more than one of them. A better thing to check would be for regions that don't have at least one Trail that logs management events.
Note that management events can be split into read and write; we need to make sure that both are covered. There are also settings to exclude "KMS events" and "RDS Data API events"; we also need to make sure that at least one Trail has those disabled. So the check can't be as simple as "ensure that at least one Trail has management event logging enabled"; we need to make sure that at least one Trail in the region has each of the following: