Profile Applicability:
Level 2
Description:
AWS CloudTrail Log File Validation provides a cryptographic hash for every log file stored in S3. It helps detect unauthorized modifications, deletions, or corruption of logs.
Why Enable Log File Validation?
Ensures log integrity – Detects tampering, deletions, and modifications.
Verifies that logs have not been altered post-delivery.
Essential for forensic investigations after security incidents.
Supports compliance audits (PCI DSS, SOC 2, ISO 27001).
CloudTrail Log File Validation is NOT enabled by default!
Rationale:
1. Protects against log tampering or deletion.
2. Provides cryptographic proof of log integrity.
3. Required for compliance with security best practices.
4. Improves forensic investigation capabilities.
5. Without log validation, attackers may delete or modify logs without detection!
Impact:
Pros:
1. Ensures AWS CloudTrail logs are not altered.
2. Improves security and compliance auditing.
3. Helps with forensic investigations.
Cons:
4. Additional storage costs for validation digest files in S3.
5. Requires manual log validation using AWS CLI.
Default Value:
CloudTrail Log File Validation is NOT enabled by default. Must be manually enabled per trail.
Pre-Requisites:
IAM permissions required:
cloudtrail:UpdateTrail
cloudtrail:GetTrailStatus
cloudtrail:DescribeTrails
s3:PutBucketPolicy
AWS CLI installed for automation.
Remediation:
Test Plan:
Using AWS Console
Step 1: Check Log File Validation Status
Log in to the AWS Management Console
Navigate to CloudTrail Console → CloudTrail Dashboard
Click Trails in the left panel.
Click on each Trail Name.
Under General details, check Log file validation = Enabled.
- If enabled, CloudTrail log validation is properly configured.
- If disabled, follow remediation steps.
Audit Steps Using AWS CLI
Step 1: List All CloudTrails aws cloudtrail describe-trails
This command returns all CloudTrails & their configurations.
Step 2: Check If Log File Validation is Enabled
aws cloudtrail describe-trails --query 'trailList[*].[Name,LogFileValidationEnabled]'
Expected Output (If Log File Validation is Enabled):
[ ["CloudTrail-Name", true] ]
- If LogFileValidationEnabled=false, remediation is required.
Implementation:
Method 1: Enable Log File Validation via AWS Console
Step 1: Enable Log Validation
Log in to the AWS Console
Navigate to CloudTrail Console
Click Trails → Select the Trail
Click Edit under General details
Under Advanced settings, check Enable log file validation
Click Save changes
Method 2: Enable Log File Validation via AWS CLI
Step 1: Enable Log Validation on a Trail
aws cloudtrail update-trail --name <trail-name> --enable-log-file-validation
- This command enables cryptographic log validation for the specified CloudTrail.
Method 3: Verify CloudTrail Logs for Integrity
aws cloudtrail validate-logs --trail-arn <trail-arn> --start-time <YYYY-MM-DDTHH:MM:SSZ> --end-time <YYYY-MM-DDTHH:MM:SSZ
Example: Validate logs from the last 24 hours:
aws cloudtrail validate-logs --trail-arn arn:aws:cloudtrail:us-east-1:123456789012:trail/my-trail --start-time 2024-02-09T00:00:00Z --end-time 2024-02-10T00:00:00Z
- If validation fails, investigate log integrity issues
Backout Plan:
If enabling Log File Validation causes issues:
- Disable Log File Validation:
aws cloudtrail update-trail --name <trail-name> --no-enable-log-file-validation
- Verify if Log File Validation is Disabled:
aws cloudtrail describe-trails --query 'trailList[*].[Name,LogFileValidationEnabled]'Ensure disabling log validation is justified (e.g., cost concerns) before proceeding.