This rule monitors for modifications to AWS CloudTrails.
Low / High
CloudTrail is the AWS auditing service, and modifications may mean loss of sensitive audit data. AWS CloudTrails should be modified very rarely, and modifications closely monitored and approved.
If this CloudTrail change was not planned, review the CloudTrail event history to see what changes were made and by who. Revert inappropriate changes, and revoke access as necessary. Remember that disabling/modifying CloudTrail can prevent future audit logs from being generated, investigate your AWS environment for other changes if logging was temporarily disabled.
CIS AWS Benchmark 3.5: "Ensure a log metric filter and alarm exist for CloudTrail configuration changes"