Set up the cloudtrail integration.
CloudTrail log file validation creates a digitally signed digest file containing a hash of each log that CloudTrail writes to S3. Use these digest files to determine whether a log file was changed, deleted, or unchanged after CloudTrail delivered the log. You should enable file validation on all CloudTrails.
Enabling log file validation will provide additional integrity checking of CloudTrail logs.
See the CIS AWS Foundations Benchmark controls docs for console remediation steps.
6 Maintenance, Monitoring, and Analysis of Audit Logs