Ensure CloudTrail log file validation is enabled

CloudTrail log file validation creates a digitally signed digest file containing a hash of each log that CloudTrail writes to S3. These digest files can be used to determine whether a log file was changed, deleted, or unchanged after CloudTrail delivered the log. It is recommended that file validation be enabled on all CloudTrails.

Risk Level: Low
Cloud Entity: CloudTrail
CloudGuard Rule ID: D9.TF.AWS.LOG.02
Covered by Spectral: No
Category: Management Tools


aws_cloudtrail should have enable_log_file_validation=true


  1. Run aws cloudtrail describe-trails 2. Ensure LogFileValidationEnabled is set to true for each trail


AWS CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS account. With CloudTrail, you can log, continuously monitor, and retain account activity related to actions across your AWS infrastructure. CloudTrail provides event history of your AWS account activity, including actions taken through the AWS Management Console, AWS SDKs, command line tools, and other AWS services. This event history simplifies security analysis, resource change tracking, and troubleshooting.

Compliance Frameworks

  • Terraform AWS CIS Foundations