Ensure CloudTrail log file validation is enabled

To determine whether a log file was modified, deleted, or unchanged after CloudTrail delivered it, you can use CloudTrail log file integrity validation. This feature is built using industry standard algorithms: SHA-256 for hashing and SHA-256 with RSA for digital signing. This makes it computationally infeasible to modify, delete or forge CloudTrail log files without detection Enabling this feature will validate log files and detect whether these were modified or deleted after CloudTrail agent delivered them.

Risk Level: High
Cloud Entity: CloudTrail
CloudGuard Rule ID: D9.CFT.LOG.08
Covered by Spectral: Yes
Category: Management Tools

GSL LOGIC

AWS_CloudTrail_Trail should have EnableLogFileValidation=true

REMEDIATION

From CFT
Set AWS::CloudTrail::Trail::EnableLogFileValidation to true.
See below example;

Resources:
CloudTrail:
Type: 'AWS::CloudTrail::Trail'
Properties:
...

EnableLogFileValidation: true

...

References

  1. https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-log-file-validation-intro.html
  2. https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cloudtrail-trail.html#cfn-cloudtrail-trail-enablelogfilevalidation

CloudTrail

AWS CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS account. With CloudTrail, you can log, continuously monitor, and retain account activity related to actions across your AWS infrastructure. CloudTrail provides event history of your AWS account activity, including actions taken through the AWS Management Console, AWS SDKs, command line tools, and other AWS services. This event history simplifies security analysis, resource change tracking, and troubleshooting.

Compliance Frameworks

  • AWS CloudFormation ruleset