lacework-global-75

3.2 Enable CloudTrail log file validation (Automated)

Profile Applicability

• Level 2

Description

CloudTrail log file validation creates a digitally signed digest file containing a hash of each log that CloudTrail writes to S3. Use these digest files to determine changed, deleted or unchanged log files after CloudTrail delivered the log. Best practices recommend enabling file validation on all CloudTrails.

Rationale

Enabling log file validation will provide additional integrity checking of CloudTrail logs.

Audit

Perform the following on each trail to determine if log file validation is enabled:

From Console

1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/cloudtrail
2. Click on Trails on the left navigation pane
3. For Every Trail:
   • Click on a trail via the link in the Name column.
   • Under the S3 section, ensure Enable log file validation is set to Yes.

From Command Line

aws cloudtrail describe-trails

Ensure LogFileValidationEnabled is set to true for each trail

Remediation

Perform the following to enable log file validation on a given trail:

From Console

1. Sign in to the AWS Management Console and open the Identity and Access Management (IAM) console at https://console.aws.amazon.com/cloudtrail.
2. Click Trails on the left navigation pane.
3. Click target trail.
4. Within the S3 section click the edit icon (pencil).
5. Click Advanced.
6. Click the Yes radio button in section Enable log file validation.
7. Click Save.

From Command Line

aws cloudtrail update-trail --name <trail_name> --enable-log-file-validation

Run the following command to perform periodic validation of logs using these digests:

aws cloudtrail validate-logs --trail-arn <trail_arn> --start-time <start_time> --end-time <end_time>

References

CCE-78914-9
https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-log-file-validation-enabling.html