For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/cloudformation-aws-cloudtrail-log-file-validation-disabled.md.
A documentation index is available at /llms.txt.
CloudTrail log file validation must be enabled to detect tampering or unauthorized modification of delivered log files and to support reliable forensic investigations and compliance auditing. The EnableLogFileValidation property on AWS::CloudTrail::Trail resources must be defined and set to true. Resources that omit EnableLogFileValidation or set it to false will be flagged as a security risk. Enabling validation causes CloudTrail to create digest files that allow verification of the integrity of log files stored in the S3 bucket.
AWSTemplateFormatVersion:"2010-09-09"Parameters:OperatorEmail:Description:"Email address to notify when new logs are published."Type:StringResources:S3Bucket:DeletionPolicy:RetainType:AWS::S3::BucketProperties:{}BucketPolicy:Type:AWS::S3::BucketPolicyProperties:Bucket:Ref:S3BucketPolicyDocument:Version:"2012-10-17"Statement:- Sid:"AWSCloudTrailAclCheck"Effect:"Allow"Principal:Service:"cloudtrail.amazonaws.com"Action:"s3:GetBucketAcl"Resource:!Sub |-arn:aws:s3:::${S3Bucket}- Sid:"AWSCloudTrailWrite"Effect:"Allow"Principal:Service:"cloudtrail.amazonaws.com"Action:"s3:PutObject"Resource:!Sub |-arn:aws:s3:::${S3Bucket}/AWSLogs/${AWS::AccountId}/*Condition:StringEquals:s3:x-amz-acl:"bucket-owner-full-control"Topic:Type:AWS::SNS::TopicProperties:Subscription:- Endpoint:Ref:OperatorEmailProtocol:emailTopicPolicy:Type:AWS::SNS::TopicPolicyProperties:Topics:- Ref:"Topic"PolicyDocument:Version:"2008-10-17"Statement:- Sid:"AWSCloudTrailSNSPolicy"Effect:"Allow"Principal:Service:"cloudtrail.amazonaws.com"Resource:"*"Action:"SNS:Publish"myTrail:DependsOn:- BucketPolicy- TopicPolicyType:AWS::CloudTrail::TrailProperties:EnableLogFileValidation:trueS3BucketName:Ref:S3BucketSnsTopicName:Fn::GetAtt:- Topic- TopicNameIsLogging:trueIsMultiRegionTrail:true
{"AWSTemplateFormatVersion":"2010-09-09","Parameters":{"OperatorEmail":{"Type":"String","Description":"Email address to notify when new logs are published."}},"Resources":{"BucketPolicy":{"Type":"AWS::S3::BucketPolicy","Properties":{"Bucket":{"Ref":"S3Bucket"},"PolicyDocument":{"Version":"2012-10-17","Statement":[{"Principal":{"Service":"cloudtrail.amazonaws.com"},"Action":"s3:GetBucketAcl","Resource":"arn:aws:s3:::${S3Bucket}","Sid":"AWSCloudTrailAclCheck","Effect":"Allow"},{"Effect":"Allow","Principal":{"Service":"cloudtrail.amazonaws.com"},"Action":"s3:PutObject","Resource":"arn:aws:s3:::${S3Bucket}/AWSLogs/${AWS::AccountId}/*","Condition":{"StringEquals":{"s3:x-amz-acl":"bucket-owner-full-control"}},"Sid":"AWSCloudTrailWrite"}]}}},"Topic":{"Type":"AWS::SNS::Topic","Properties":{"Subscription":[{"Endpoint":{"Ref":"OperatorEmail"},"Protocol":"email"}]}},"TopicPolicy":{"Type":"AWS::SNS::TopicPolicy","Properties":{"Topics":[{"Ref":"Topic"}],"PolicyDocument":{"Version":"2008-10-17","Statement":[{"Sid":"AWSCloudTrailSNSPolicy","Effect":"Allow","Principal":{"Service":"cloudtrail.amazonaws.com"},"Resource":"*","Action":"SNS:Publish"}]}}},"myTrail":{"DependsOn":["BucketPolicy","TopicPolicy"],"Type":"AWS::CloudTrail::Trail","Properties":{"IsLogging":true,"IsMultiRegionTrail":true,"EnableLogFileValidation":true,"S3BucketName":{"Ref":"S3Bucket"},"SnsTopicName":{"Fn::GetAtt":["Topic","TopicName"]}}},"S3Bucket":{"DeletionPolicy":"Retain","Type":"AWS::S3::Bucket","Properties":{}}}}
Non-Compliant Code Examples
AWSTemplateFormatVersion:"2010-09-09"Parameters:OperatorEmail:Description:"Email address to notify when new logs are published."Type:StringResources:S3Bucket:DeletionPolicy:RetainType:AWS::S3::BucketProperties:{}BucketPolicy:Type:AWS::S3::BucketPolicyProperties:Bucket:Ref:S3BucketPolicyDocument:Version:"2012-10-17"Statement:- Sid:"AWSCloudTrailAclCheck"Effect:"Allow"Principal:Service:"cloudtrail.amazonaws.com"Action:"s3:GetBucketAcl"Resource:!Sub |-arn:aws:s3:::${S3Bucket}- Sid:"AWSCloudTrailWrite"Effect:"Allow"Principal:Service:"cloudtrail.amazonaws.com"Action:"s3:PutObject"Resource:!Sub |-arn:aws:s3:::${S3Bucket}/AWSLogs/${AWS::AccountId}/*Condition:StringEquals:s3:x-amz-acl:"bucket-owner-full-control"Topic:Type:AWS::SNS::TopicProperties:Subscription:- Endpoint:Ref:OperatorEmailProtocol:emailTopicPolicy:Type:AWS::SNS::TopicPolicyProperties:Topics:- Ref:"Topic"PolicyDocument:Version:"2008-10-17"Statement:- Sid:"AWSCloudTrailSNSPolicy"Effect:"Allow"Principal:Service:"cloudtrail.amazonaws.com"Resource:"*"Action:"SNS:Publish"myTrail:DependsOn:- BucketPolicy- TopicPolicyType:AWS::CloudTrail::TrailProperties:S3BucketName:Ref:S3BucketSnsTopicName:Fn::GetAtt:- Topic- TopicNameIsLogging:trueIsMultiRegionTrail:truemyTrail2:DependsOn:- BucketPolicy- TopicPolicyType:AWS::CloudTrail::TrailProperties:EnableLogFileValidation:falseS3BucketName:Ref:S3BucketSnsTopicName:Fn::GetAtt:- Topic- TopicNameIsLogging:trueIsMultiRegionTrail:true
{"Resources":{"S3Bucket":{"DeletionPolicy":"Retain","Type":"AWS::S3::Bucket","Properties":{}},"BucketPolicy":{"Type":"AWS::S3::BucketPolicy","Properties":{"Bucket":{"Ref":"S3Bucket"},"PolicyDocument":{"Version":"2012-10-17","Statement":[{"Sid":"AWSCloudTrailAclCheck","Effect":"Allow","Principal":{"Service":"cloudtrail.amazonaws.com"},"Action":"s3:GetBucketAcl","Resource":"arn:aws:s3:::${S3Bucket}"},{"Resource":"arn:aws:s3:::${S3Bucket}/AWSLogs/${AWS::AccountId}/*","Condition":{"StringEquals":{"s3:x-amz-acl":"bucket-owner-full-control"}},"Sid":"AWSCloudTrailWrite","Effect":"Allow","Principal":{"Service":"cloudtrail.amazonaws.com"},"Action":"s3:PutObject"}]}}},"Topic":{"Type":"AWS::SNS::Topic","Properties":{"Subscription":[{"Endpoint":{"Ref":"OperatorEmail"},"Protocol":"email"}]}},"TopicPolicy":{"Properties":{"Topics":[{"Ref":"Topic"}],"PolicyDocument":{"Version":"2008-10-17","Statement":[{"Sid":"AWSCloudTrailSNSPolicy","Effect":"Allow","Principal":{"Service":"cloudtrail.amazonaws.com"},"Resource":"*","Action":"SNS:Publish"}]}},"Type":"AWS::SNS::TopicPolicy"},"myTrail":{"DependsOn":["BucketPolicy","TopicPolicy"],"Type":"AWS::CloudTrail::Trail","Properties":{"IsMultiRegionTrail":true,"S3BucketName":{"Ref":"S3Bucket"},"SnsTopicName":{"Fn::GetAtt":["Topic","TopicName"]},"IsLogging":true}},"myTrail2":{"DependsOn":["BucketPolicy","TopicPolicy"],"Type":"AWS::CloudTrail::Trail","Properties":{"EnableLogFileValidation":false,"S3BucketName":{"Ref":"S3Bucket"},"SnsTopicName":{"Fn::GetAtt":["Topic","TopicName"]},"IsLogging":true,"IsMultiRegionTrail":true}}},"AWSTemplateFormatVersion":"2010-09-09","Parameters":{"OperatorEmail":{"Description":"Email address to notify when new logs are published.","Type":"String"}}}
1
2
rulesets:- CloudFormation / AWS # Rules to enforce / AWS.
Request a personalized demo
Get Started with Datadog
Ask AI
AI-generated responses may be inaccurate. Verify important info.
