lacework-global-75
3.2 Enable CloudTrail log file validation (Automated)
Profile Applicability
• Level 2
Description
CloudTrail log file validation creates a digitally signed digest file containing a hash of each log that CloudTrail writes to S3. Use these digest files to determine changed, deleted or unchanged log files after CloudTrail delivered the log. Best practices recommend enabling file validation on all CloudTrails.
Rationale
Enabling log file validation will provide additional integrity checking of CloudTrail logs.
Audit
Perform the following on each trail to determine if log file validation is enabled:
From Console
- Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/cloudtrail
- Click on
Trails
on the left navigation pane - For Every Trail:
- Click on a trail via the link in the Name column.
- Under the
S3
section, ensureEnable log file validation
is set toYes
.
From Command Line
aws cloudtrail describe-trails
Ensure LogFileValidationEnabled
is set to true
for each trail
Remediation
Perform the following to enable log file validation on a given trail:
From Console
- Sign in to the AWS Management Console and open the Identity and Access Management (IAM) console at https://console.aws.amazon.com/cloudtrail.
- Click
Trails
on the left navigation pane. - Click target trail.
- Within the
S3
section click the edit icon (pencil). - Click
Advanced
. - Click the
Yes
radio button in sectionEnable log file validation
. - Click
Save
.
From Command Line
aws cloudtrail update-trail --name <trail_name> --enable-log-file-validation
Run the following command to perform periodic validation of logs using these digests:
aws cloudtrail validate-logs --trail-arn <trail_arn> --start-time <start_time> --end-time <end_time>
References
CCE-78914-9
https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-log-file-validation-enabling.html