---
title: CloudTrail log file validation disabled
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > Code Security > Infrastructure as Code (IaC)
  Security > IaC Security Rules > CloudTrail log file validation disabled
---

# CloudTrail log file validation disabled

{% callout %}
# Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com

{% alert level="danger" %}
This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ({% placeholder "user-datadog-site-name" /%}).
{% /alert %}

{% /callout %}

## Metadata{% #metadata %}

**Id:** `terraform-aws-cloudtrail-log-file-validation-disabled` 

**Provider:** AWS

**Platform:** Terraform

**Severity:** Low

**Category:** Observability

#### Learn More{% #learn-more %}

- [Provider Reference](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudtrail#enable_log_file_validation)

### Description{% #description %}

CloudTrail log file validation should be enabled by setting the `enable_log_file_validation` attribute to `true` in the `aws_cloudtrail` resource. This ensures that CloudTrail computes and stores a hash for every log file it delivers, allowing detection of any tampering or unauthorized modifications of log files. If log file validation is not enabled, malicious actors could alter or delete logs without detection, undermining the integrity of audit trails and hampering forensic investigations.

```
resource "aws_cloudtrail" "example" {
  name                       = "example"
  s3_bucket_name             = "bucketlog"
  enable_log_file_validation = true
}
```

## Compliant Code Examples{% #compliant-code-examples %}

```terraform
resource "aws_cloudtrail" "negative1" {
  name                          = "negative1"
  s3_bucket_name                = "bucketlog1"
  enable_log_file_validation    = true
}
```

## Non-Compliant Code Examples{% #non-compliant-code-examples %}

```terraform
resource "aws_cloudtrail" "positive1" {
  name                          = "positive1"
  s3_bucket_name                = "bucketlog1"
}

resource "aws_cloudtrail" "positive2" {
  name                          = "positive2"
  s3_bucket_name                = "bucketlog2"
  enable_log_file_validation    = false
}
```