Logo of Trend Micro

CloudTrail Log File Integrity Validation

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: Medium (should be achieved)
Rule ID: CT-007

Ensure that your trails have file integrity validation feature enabled in order to check the log files and detect whether these were modified or deleted after CloudTrail agent delivered them to the S3 bucket.

This rule can help you with the following compliance standards:

This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS

Security

Enabling this feature will allow you to validate the integrity of your CloudTrail log files and determine if the files were changed once delivered to the specified S3 bucket - the expectation is that the log files should remain unchanged. The log file integrity validation use industry standard algorithms such as SHA-256 for hashing and SHA-256 RSA for digital signing which makes impossible to change files without detection.

Note: this guide will also explain how to validate your CloudTrail log files as integrity validation task for your security audit and compliance process by using AWS CLI (see Remediation / Resolution section, step 2).

Audit

To determine if your trails have log file validation feature enabled, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02Navigate to CloudTrail dashboard at https://console.aws.amazon.com/cloudtrail/.

03 In the left navigation panel, select Trails.

04 Under Name column, select the trail name that you need to examine.

05 Under S3 section, check for Enable log file validation status:

Enable log file validation status

If the feature status is set to No, the selected trail does not have log file integrity validation enabled.

Using AWS CLI

01Run describe-trails command (OSX/Linux/UNIX) to list all trails available in the selected AWS region: 

aws cloudtrail describe-trails

02The command output should expose each CloudTrail trail configuration details. If LogFileValidationEnabled config parameter value is set to false, the selected trail does not have validation support enabled for its log file(s): 

{
    "trailList": [
        {
            "IncludeGlobalServiceEvents": true,
            "Name": "MyGlobalTrail",
            "TrailARN": "arn:aws:cloudtrail:us-east-1:
                         123456789012:trail/MyGlobalTrail",
            "LogFileValidationEnabled": false,
            "IsMultiRegionTrail": false,
            "S3BucketName": "cloudtrail-global-logging",
            "HomeRegion": "us-east-1"
        }
    ]
}

Remediation / Resolution

Step 1: enable log file integrity validation. To turn on this feature for your trails, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to CloudTrail dashboard at https://console.aws.amazon.com/cloudtrail/.

03 In the left navigation panel, select Trails.

04 Under Name column, select the trail name that you need to update.

05 Click the pencil icon: next to S3 section to edit the trail bucket configuration.

06 Under S3 bucket* click Advanced and search for the Enable log file validation configuration status.

07 Select Yes to enable log file validation:

Select Yes to enable log file validation

2then click Save:

Click Save

Using AWS CLI

01 Run describe-trails command (OSX/Linux/UNIX) to list all CloudTrail trails available in the selected AWS region and their configuration details (name, ARN, log validation status, etc): 

aws cloudtrail describe-trails

02 The command output should return the current configuration details for the selected trail. If the log file validation feature is disabled, the IncludeGlobalServiceEvents parameter value is set to false: 

{
    "trailList": [
        {
            "IncludeGlobalServiceEvents": true,
            "Name": "MyGlobalTrail",
            "TrailARN": "arn:aws:cloudtrail:us-east-1:
                         123456789012:trail/MyGlobalTrail",
            "LogFileValidationEnabled": false,
            "IsMultiRegionTrail": false,
            "S3BucketName": "cloudtrail-global-logging",
            "HomeRegion": "us-east-1"
        }
    ]
}

03 Run update-trail command (OSX/Linux/UNIX) using the selected trail name to update the trail configuration and enable log file integrity validation: 

aws cloudtrail update-trail
	--name MyGlobalTrail
	--enable-log-file-validation

04 The command output should return the new configuration details for the selected trail. The log file validation feature should be enabled as the IncludeGlobalServiceEvents parameter value is set to true: 

{
    "trailList": [
        {
            "IncludeGlobalServiceEvents": true,
            "Name": "MyGlobalTrail",
            "TrailARN": "arn:aws:cloudtrail:us-east-1:
                         123456789012:trail/MyGlobalTrail",
            "LogFileValidationEnabled": true,
            "IsMultiRegionTrail": false,
            "S3BucketName": "cloudtrail-global-logging",
            "HomeRegion": "us-east-1"
        }
    ]
}

Step 2: validate your CloudTrail log files with AWS CLI (validation via CloudTrail console is not currently available in AWS). For integrity validation process, perform the following:

Using AWS CLI

01 Run describe-trails command (OSX/Linux/UNIX) to list all trails available in the selected AWS region and their configuration details (name, ARN, bucket name, etc):

aws cloudtrail describe-trails

02 The command output should return the ARN (Amazon Resource Name) for each trail available in the selected region: 

{
    "trailList": [
        {
            "IncludeGlobalServiceEvents": true,
            "Name": "MyGlobalTrail",
            "TrailARN": "arn:aws:cloudtrail:us-east-1:
                         123456789012:trail/MyGlobalTrail",
            "LogFileValidationEnabled": true,
            "IsMultiRegionTrail": false,
            "S3BucketName": "cloudtrail-global-logging",
            "HomeRegion": "us-east-1"
        }
    ]
}

03 Run validate-logs command (OSX/Linux/UNIX) using the selected trail ARN and a time frame for the log files delivery to validate and detect any changes made for the selected trail log:

aws cloudtrail validate-logs
	--trail-arn arn:aws:cloudtrail:us-east-1:123456789012:trail/MyGlobalTrail
	--start-time 2016-04-13T00:00:00Z
	--end-time 2016-04-13T12:00:00Z

04 AWS CLI allows you to detect any modification or deletion of CloudTrail log files and/or any modification or deletion of CloudTrail digest files. The command output should return the log files integrity status after validation:
If the files were not modified or deleted, the output should like this:

Validating log files for trail
arn:aws:cloudtrail:us-east-1:123456789012:trail/MyGlobalTrail
between 2016-04-13T00:00:00Z and 2016-04-13T12:00:00Z

Results requested for 2016-04-13T00:00:00Z to 2016-04-13T12:00:00Z
Results found for 2016-04-13T05:55:11Z to 2016-04-13T07:55:11Z:

2/2 digest files valid
4/4 log files valid

If one or more files were modified, the output should like this:

Log file s3://cloudtrail-global-logging/AWSLogs/123456789012/CloudTrail/us-east-1/2016/04/13/123456789012_CloudTrail_us-east-1_20160413T0850Z_aIGwDi2kQ8Ssp7Ro.json.gz INVALID: hash value doesn't match

Results requested for 2016-04-13T00:00:00Z to 2016-04-13T12:00:00Z
Results found for 2016-04-13T05:55:11Z to 2016-04-13T07:55:11Z:

2/2 digest files valid
3/4 log files valid, 1/4 log files INVALID

If one or more files were deleted, the output should like this:

Log file s3://cloudtrail-global-logging/AWSLogs/123456789012/CloudTrail/us-east-1/2016/04/13/123456789012_CloudTrail_us-east-1_20160413T0840Z_s7jdXNMjkqzARcKI.json.gz INVALID: not found

Results requested for 2016-04-13T00:00:00Z to 2016-04-13T12:00:00Z
Results found for 2016-04-13T06:50:11Z to 2016-04-13T08:50:11Z:

2/2 digest files valid
3/4 log files valid, 1/4 log files INVALID

References

Publication date Apr 13, 2016

Related CloudTrail rules

Unlock the Remediation Steps

Gain free unlimited access
to our full Knowledge Base

Over 750 rules & best practices
for AWS and Azure

You are auditing:

CloudTrail Log File Integrity Validation

Risk level: Medium