CloudTrail log file validation should be enabled

cloudtrail
이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Description

CloudTrail log file validation creates a digitally signed digest file containing a hash of each log that CloudTrail writes to S3. Use these digest files to determine whether a log file was changed, deleted, or unchanged after CloudTrail delivered the log. You should enable file validation on all CloudTrails.

Rationale

Enabling log file validation will provide additional integrity checking of CloudTrail logs.

Remediation

Perform the following to enable log file validation on a given trail.

From the console

  1. Open the IAM console.

  2. Click Trails in the left navigation pane.

  3. Select the target trail.

  4. In the General details section, click Edit.

  5. In the Advanced settings section:

    • Check the enable box under Log file validation.
    • Click Save to save your changes.

From the command line

  1. Update target trail with the following command:

    aws cloudtrail update-trail --name <trail_name> \
--enable-log-file-validation

Default value

Not Enabled

References

  1. http://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-log-file-validation-enabling.html