Profile Applicability: Level 2

Description: 

CloudTrail log file validation creates a digitally signed digest file containing a hash of each log that CloudTrail writes to S3. These digest files can be used to determine whether a log file was changed, deleted, or unchanged after CloudTrail delivered the log. It is recommended that file validation be enabled on all CloudTrails.


Rationale: 

Logfile validation is built using industry-standard algorithms: SHA-256 for hashing and SHA-256 with RSA for digital signing. This makes it computationally infeasible to modify, delete or forge CloudTrail log files without detection.


Impact:

Enabling log file validation will provide additional integrity checking of CloudTrail logs. Validated log files are invaluable in security and forensic investigations.


Default Value: 

By default, log file validation is enabled.


Audit:

  1. Sign in to the AWS Management Console

  2. open the cloud trail service at https://console.aws.amazon.com/cloudtrail 

  3. Click on Trails on the left navigation pane 

  4. Click on the trail you want to examine

  5. In the General details opened check log file validation is enabled or disabled

If you notice log file validation is disabled follow the Implementation steps.


Remediation:

Pre-Requisite:  

  1. Login as admin or IAM user with required permissions

  2. Need an S3 bucket

Implementation steps:

  1. Sign in to the AWS Management Console 

  2. open the IAM console at https://console.aws.amazon.com/cloudtrail

  3. Click on Trails on the left navigation pane 

  4. Click on the trail you want to modify and select edit

  5. Go to Additional settings in the bottom and check the Logfile validation checkBox

  6. Click on save changes

 

AWS CLI Method:

aws cloudtrail update-trail --name your-trail-name --enable-log-file-validation


Backout Plan:

  1. Sign in to the AWS Management Console   

  2. Open the Cloudtrail at https://console.aws.amazon.com/cloudtrail 

  3. Click on Trails on the left navigation pane 

  4. Click on target trail and select Edit, go to Additional settings

  5. Uncheck the Logfile validation check box and click on save settings


Reference: 

https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-log-file-validation-intro.html 


CIS Controls:

6 Maintenance, Monitoring and Analysis of Audit Logs 

Maintenance, Monitoring and Analysis of Audit Logs