Ensure that your trails have file integrity validation feature enabled in order to check the log files and detect whether these were modified or deleted after CloudTrail agent delivered them to the S3 bucket.
This rule can help you with the following compliance standards:
- The Center of Internet Security AWS Foundations Benchmark
- Payment Card Industry Data Security Standard (PCI DSS)
- Health Insurance Portability and Accountability Act (HIPAA)
- General Data Protection Regulation (GDPR)
- APRA
- MAS
- NIST 800-53 (Rev. 4)
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
Enabling this feature will allow you to validate the integrity of your CloudTrail log files and determine if the files were changed once delivered to the specified S3 bucket - the expectation is that the log files should remain unchanged. The log file integrity validation use industry standard algorithms such as SHA-256 for hashing and SHA-256 RSA for digital signing which makes impossible to change files without detection.
Note: this guide will also explain how to validate your CloudTrail log files as integrity validation task for your security audit and compliance process by using AWS CLI (see Remediation / Resolution section, step 2).
Audit
To determine if your trails have log file validation feature enabled, perform the following:
Remediation / Resolution
Step 1: enable log file integrity validation. To turn on this feature for your trails, perform the following:
Step 2: validate your CloudTrail log files with AWS CLI (validation via CloudTrail console is not currently available in AWS). For integrity validation process, perform the following:
References
- AWS Documentation
- AWS CloudTrail FAQs
- CloudTrail Concepts
- Validating CloudTrail Log File Integrity
- Enabling Log File Integrity Validation for CloudTrail
- Validating CloudTrail Log File Integrity with the AWS CLI
- Creating and Updating Your Trail
- Creating and Updating a Trail with the AWS CLI
- AWS Command Line Interface (CLI) Documentation
- describe-trails
- update-trail
- validate-logs
Unlock the Remediation Steps
Gain free unlimited access
to our full Knowledge Base
Over 750 rules & best practices
for and
Get started for FREE
You are auditing:
CloudTrail Log File Integrity Validation
Risk level: Medium