CloudTrail log file validation should be enabled

cloudtrail
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。

Description

CloudTrail log file validation creates a digitally signed digest file containing a hash of each log that CloudTrail writes to S3. Use these digest files to determine whether a log file was changed, deleted, or unchanged after CloudTrail delivered the log. You should enable file validation on all CloudTrails.

Rationale

Enabling log file validation will provide additional integrity checking of CloudTrail logs.

Remediation

Perform the following to enable log file validation on a given trail.

From the console

  1. Open the IAM console.

  2. Click Trails in the left navigation pane.

  3. Select the target trail.

  4. In the General details section, click Edit.

  5. In the Advanced settings section:

    • Check the enable box under Log file validation.
    • Click Save to save your changes.

From the command line

  1. Update target trail with the following command:

    aws cloudtrail update-trail --name <trail_name> \
--enable-log-file-validation

Default value

Not Enabled

References

  1. http://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-log-file-validation-enabling.html