Ensure CloudTrail log file validation is enabled

CloudTrail log file validation creates a digitally signed digest file containing a hash of each log that CloudTrail writes to S3. These digest files can be used to determine whether a log file was changed, deleted, or unchanged after CloudTrail delivered the log. It is recommended that file validation be enabled on all CloudTrails.

Risk Level: Low
Cloud Entity: CloudTrail
CloudGuard Rule ID: D9.AWS.LOG.02
Covered by Spectral: Yes
Category: Management Tools

GSL LOGIC

CloudTrail should have logFileValidationEnabled=true

REMEDIATION

From Portal
Perform the following to enable log file validation on a given trail: Via the management Console

  1. Sign in to the AWS Management Console and open the CloudTrail console at https://console.aws.amazon.com/cloudtrail
  2. On the CloudTrail service home page, the Trails page, or the Trails section of the Dashboard page, choose Create trail.
  3. On the Create Trail page, for Trail name, type a name for your trail.
  4. For Storage location, choose Create new S3 bucket to create a bucket. When you create a bucket, CloudTrail creates and applies the required bucket policies.
  5. In Additional settings, click on the yes radio button in section 'Enable log file validation'.
  6. Click Save

From TF

resource "aws_cloudtrail" "negative1" {
	name                          = "negative1"
	s3_bucket_name                = "bucketlog1"
	+ enable_log_file_validation    = true
}

From Command Line
aws cloudtrail update-trail --name TRAIL-NAME --enable-log-file-validation

References

  1. https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf
  2. https://docs.amazonaws.cn/en_us/awscloudtrail/latest/userguide/cloudtrail-log-file-validation-enabling.html
  3. https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudtrail
  4. https://docs.amazonaws.cn/en_us/awscloudtrail/latest/userguide/cloudtrail-create-a-trail-using-the-console-first-time.html

CloudTrail

AWS CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS account. With CloudTrail, you can log, continuously monitor, and retain account activity related to actions across your AWS infrastructure. CloudTrail provides event history of your AWS account activity, including actions taken through the AWS Management Console, AWS SDKs, command line tools, and other AWS services. This event history simplifies security analysis, resource change tracking, and troubleshooting.

Compliance Frameworks

  • AWS CIS Controls V 8
  • AWS CIS Foundations v. 1.0.0
  • AWS CIS Foundations v. 1.1.0
  • AWS CIS Foundations v. 1.2.0
  • AWS CIS Foundations v. 1.3.0
  • AWS CIS Foundations v. 1.4.0
  • AWS CIS Foundations v. 1.5.0
  • AWS CIS Foundations v. 2.0.0
  • AWS CSA CCM v.3.0.1
  • AWS CloudGuard Best Practices
  • AWS CloudGuard SOC2 based on AICPA TSC 2017
  • AWS CloudGuard Well Architected Framework
  • AWS GDPR Readiness
  • AWS HIPAA
  • AWS HITRUST
  • AWS HITRUST v11.0.0
  • AWS ISO 27001:2013
  • AWS ISO27001:2022
  • AWS ITSG-33
  • AWS LGPD regulation
  • AWS MAS TRM Framework
  • AWS MITRE ATT&CK Framework v10
  • AWS MITRE ATT&CK Framework v11.3
  • AWS NIST 800-171
  • AWS NIST 800-53 Rev 4
  • AWS NIST 800-53 Rev 5
  • AWS NIST CSF v1.1
  • AWS PCI-DSS 3.2
  • AWS PCI-DSS 4.0
  • CloudGuard AWS All Rules Ruleset