CloudTrail log file validation should be enabled

Description

CloudTrail log file validation creates a digitally signed digest file containing a hash of each log that CloudTrail writes to S3. Use these digest files to determine whether a log file was changed, deleted, or unchanged after CloudTrail delivered the log. You should enable file validation on all CloudTrails.

Rationale

Enabling log file validation will provide additional integrity checking of CloudTrail logs.

Remediation

Perform the following to enable log file validation on a given trail.

From the console

  1. Open the IAM console.

  2. Click Trails in the left navigation pane.

  3. Select the target trail.

  4. In the General details section, click Edit.

  5. In the Advanced settings section:

    • Check the enable box under Log file validation.
    • Click Save to save your changes.

From the command line

  1. Update target trail with the following command:

    aws cloudtrail update-trail --name <trail_name> \
    --enable-log-file-validation
    

Default value

Not Enabled

References

  1. http://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-log-file-validation-enabling.html