Ensure that your trails have file integrity validation feature enabled in order to check the log files and detect whether these were modified or deleted after CloudTrail agent delivered them to the S3 bucket.
Enabling this feature will allow you to validate the integrity of your CloudTrail log files and determine if the files were changed once delivered to the specified S3 bucket - the expectation is that the log files should remain unchanged. The log file integrity validation use industry standard algorithms such as SHA-256 for hashing and SHA-256 RSA for digital signing which makes impossible to change files without detection. Note: this guide will also explain how to validate your CloudTrail log files as integrity validation task for your security audit and compliance process by using AWS CLI (see Remediation / Resolution section, step 2).
To determine if your trails have log file validation feature enabled, perform the following:
Step 1: enable log file integrity validation. To turn on this feature for your trails, perform the following:
Step 2: validate your CloudTrail log files with AWS CLI (validation via CloudTrail console is not currently available in AWS). For integrity validation process, perform the following: