diff --git a/README.md b/README.md
index c489f21..908dd6e 100644
--- a/README.md
+++ b/README.md
@@ -27,7 +27,10 @@ The following AWS Config Rules are supported:
 |------|-------------|:----:|:-----:|:-----:|
 | acm\_days\_to\_expiration | Specify the number of days before the rule flags the ACM Certificate as noncompliant. | string | `"14"` | no |
 | aggregate\_organization | Aggregate compliance data by organization | string | `"false"` | no |
+| check\_cloud\_trail\_encryption | Enable cloud-trail-encryption-enabled rule | string | `"false"` | no |
+| check\_cloud\_trail\_log\_file\_validation | Enable cloud-trail-log-file-validation-enabled rule | string | `"false"` | no |
 | check\_guard\_duty | Enable guardduty-enabled-centralized rule | string | `"false"` | no |
+| check\_multi\_region\_cloud\_trail | Enable multi-region-cloud-trail-enabled rule | string | `"false"` | no |
 | check\_rds\_public\_access | Enable rds-instance-public-access-check rule | string | `"false"` | no |
 | config\_aggregator\_name | The name of the aggregator. | string | `"organization"` | no |
 | config\_delivery\_frequency | The frequency with which AWS Config delivers configuration snapshots. | string | `"Six_Hours"` | no |
diff --git a/config-rules.tf b/config-rules.tf
index 8f122dc..4f49003 100644
--- a/config-rules.tf
+++ b/config-rules.tf
@@ -60,6 +60,60 @@ resource "aws_config_config_rule" "cloudtrail-enabled" {
   ]
 }
 
+resource "aws_config_config_rule" "multi-region-cloud-trail-enabled" {
+  count       = "${var.check_multi_region_cloud_trail ? 1 : 0}"
+  name        = "multi-region-cloud-trail-enabled"
+  description = "Checks that there is at least one multi-region AWS CloudTrail. The rule is NON_COMPLIANT if the trails do not match inputs parameters."
+
+  source {
+    owner             = "AWS"
+    source_identifier = "MULTI_REGION_CLOUD_TRAIL_ENABLED"
+  }
+
+  maximum_execution_frequency = "${var.config_max_execution_frequency}"
+
+  depends_on = [
+    "aws_config_configuration_recorder.main",
+    "aws_config_delivery_channel.main",
+  ]
+}
+
+resource "aws_config_config_rule" "cloud-trail-encryption-enabled" {
+  count       = "${var.check_cloud_trail_encryption ? 1 : 0}"
+  name        = "cloud-trail-encryption-enabled"
+  description = "Checks whether AWS CloudTrail is configured to use the server side encryption (SSE) AWS Key Management Service (AWS KMS) customer master key (CMK) encryption. The rule is COMPLIANT if the KmsKeyId is defined."
+
+  source {
+    owner             = "AWS"
+    source_identifier = "CLOUD_TRAIL_ENCRYPTION_ENABLED"
+  }
+
+  maximum_execution_frequency = "${var.config_max_execution_frequency}"
+
+  depends_on = [
+    "aws_config_configuration_recorder.main",
+    "aws_config_delivery_channel.main",
+  ]
+}
+
+resource "aws_config_config_rule" "cloud-trail-log-file-validation-enabled" {
+  count       = "${var.check_cloud_trail_log_file_validation ? 1 : 0}"
+  name        = "cloud-trail-log-file-validation-enabled"
+  description = "Checks whether AWS CloudTrail creates a signed digest file with logs. AWS recommends that the file validation must be enabled on all trails. The rule is NON_COMPLIANT if the validation is not enabled."
+
+  source {
+    owner             = "AWS"
+    source_identifier = "CLOUD_TRAIL_LOG_FILE_VALIDATION_ENABLED"
+  }
+
+  maximum_execution_frequency = "${var.config_max_execution_frequency}"
+
+  depends_on = [
+    "aws_config_configuration_recorder.main",
+    "aws_config_delivery_channel.main",
+  ]
+}
+
 resource "aws_config_config_rule" "instances-in-vpc" {
   name        = "instances-in-vpc"
   description = "Ensure all EC2 instances run in a VPC"
@@ -131,6 +185,18 @@ resource "aws_config_config_rule" "iam-user-no-policies-check" {
   depends_on = ["aws_config_configuration_recorder.main"]
 }
 
+resource "aws_config_config_rule" "iam-group-has-users-check" {
+  name        = "iam-group-has-users-check"
+  description = "Checks whether IAM groups have at least one IAM user."
+
+  source {
+    owner             = "AWS"
+    source_identifier = "IAM_GROUP_HAS_USERS_CHECK"
+  }
+
+  depends_on = ["aws_config_configuration_recorder.main"]
+}
+
 resource "aws_config_config_rule" "rds-storage-encrypted" {
   name        = "rds-storage-encrypted"
   description = "Checks whether storage encryption is enabled for your RDS DB instances."
diff --git a/variables.tf b/variables.tf
index d533087..44c8c31 100644
--- a/variables.tf
+++ b/variables.tf
@@ -82,3 +82,18 @@ variable "check_rds_public_access" {
   description = "Enable rds-instance-public-access-check rule"
   default     = false
 }
+
+variable "check_multi_region_cloud_trail" {
+  description = "Enable multi-region-cloud-trail-enabled rule"
+  default     = false
+}
+
+variable "check_cloud_trail_encryption" {
+  description = "Enable cloud-trail-encryption-enabled rule"
+  default     = false
+}
+
+variable "check_cloud_trail_log_file_validation" {
+  description = "Enable cloud-trail-log-file-validation-enabled rule"
+  default     = false
+}