Skip to content

AWS CloudTrail log validation is not enabled in all regions

Description

CloudTrail log file validation creates a digitally signed digest file containing a hash of each log that CloudTrail writes to S3. These digest files can be used to determine whether a log file was changed, deleted, or unchanged after CloudTrail delivered the log. It is recommended that file validation be enabled on all CloudTrails.

We recommend enabling log file validation to provide additional integrity checking of CloudTrail logs.

Fix - Runtime

AWS Console

To enable log file validation on a given trail, follow these steps:

  1. Log in to the AWS Management Console at https://console.aws.amazon.com/.
  2. Open the IAM console.
  3. On the left navigation pane, click Trails.
  4. Select the target trail.
  5. Navigate to the S3 section, click the edit icon (pencil).
  6. Click Advanced.
  7. In the Enable log file validation section, select Yes.
  8. Click Save.

CLI Command

To enable log file validation on an AWS CloudTrail, use the following command:

aws cloudtrail update-trail 
--name <trail_name> 
--enable-log-file-validation

To start periodic validation of logs using these digests, use the following command: 

aws cloudtrail validate-logs 
--trail-arn <trail_arn> 
--start-time <start_time> 
--end-time <end_time>

Fix - Buildtime

Terraform

  • Resource: aws_cloudtrail
  • Argument: enable_log_file_validation - (Optional) Specifies whether log file integrity validation is enabled. Defaults to false.
resource "aws_cloudtrail" "trail_1" {
  ...
  name                          = "terraform.env-trail-01"
+ enable_log_file_validation    = true
}

CloudFormation

  • Resource: AWS::CloudTrail::Trail
  • Argument: Properties.EnableLogFileValidation
Resources: 
   myTrail: 
      Type: AWS::CloudTrail::Trail
      Properties: 
        ...
+       EnableLogFileValidation: True