Profile Applicability: Level 2

Description: 

CloudTrail log file validation creates a digitally signed digest file containing a hash of each log that CloudTrail writes to S3. These digest files can be used to determine whether a log file was changed, deleted, or unchanged after CloudTrail delivered the log. It is recommended that file validation be enabled on all CloudTrails.


Rationale: 

Logfile validation is built using industry-standard algorithms: SHA-256 for hashing and SHA-256 with RSA for digital signing. This makes it computationally infeasible to modify, delete or forge CloudTrail log files without detection.


Impact:

Enabling log file validation will provide additional integrity checking of CloudTrail logs. Validated log files are invaluable in security and forensic investigations.


Default Value: 

By default, log file validation is enabled.


Pre-Requisite:  

  1. Log in as admin or IAM user with the required permissions
  2. Need an S3 bucket


Remediation :


Test Plan:

  1. Sign in to the AWS Management Console

  2. Open the cloud trail service at https://console.aws.amazon.com/cloudtrail 

  3. Click on Trails on the left navigation pane 

  4. Click on the trail you want to examine

  5. In the General details opened check log file validation is enabled or disabled

If you notice log file validation is disabled follow the Implementation steps.


Using AWS CLI:

Using this command we can find out whether logfile validation is enabled or disabled

aws cloudtrail describe-trails --trail-name-list management-Events


Implementation steps:

  1. Sign in to the AWS Management Console 

  2. Open the cloudtrail console at https://console.aws.amazon.com/cloudtrail

  3. Click on Trails on the left navigation pane 

  4. Click on the trail you want to modify and select edit

  5. Go to Additional Settings at the bottom and check the Logfile validation checkBox

  6. Click on save changes

 

Using AWS CLI :

command used to enable logfile-validation

aws cloudtrail update-trail --name management-events --enable-log-file-validation


Backout Plan:

  1. Sign in to the AWS Management Console   

  2. Open the Cloudtrail at https://console.aws.amazon.com/cloudtrail 

  3. Click on Trails on the left navigation pane 

  4. Click on target trail and select Edit, go to Additional settings

  5. Uncheck the Logfile validation check box and click on save settings

Using AWS CLI

Command used to disable logfile-validation

aws cloudtrail update-trail --name management-events --no-enable-log-file-validation


Reference: 

https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-log-file-validation-intro.html 


CIS Controls:

6 Maintenance, Monitoring, and Analysis of Audit Logs 

Maintenance, Monitoring, and Analysis of Audit Logs