Profile Applicability:

Level 2

Description:

AWS CloudTrail Log File Validation provides a cryptographic hash for every log file stored in S3. It helps detect unauthorized modifications, deletions, or corruption of logs.

Why Enable Log File Validation?

  •  Ensures log integrity – Detects tampering, deletions, and modifications.

  •  Verifies that logs have not been altered post-delivery.

  •  Essential for forensic investigations after security incidents.

  •  Supports compliance audits (PCI DSS, SOC 2, ISO 27001).

 CloudTrail Log File Validation is NOT enabled by default!

Rationale:

1. Protects against log tampering or deletion.
2. Provides cryptographic proof of log integrity.
3. Required for compliance with security best practices.
4. Improves forensic investigation capabilities.

5. Without log validation, attackers may delete or modify logs without detection!

Impact:

Pros:
1. Ensures AWS CloudTrail logs are not altered.
2. Improves security and compliance auditing.
3. Helps with forensic investigations.
Cons:
4. Additional storage costs for validation digest files in S3.
5. Requires manual log validation using AWS CLI.

Default Value:

CloudTrail Log File Validation is NOT enabled by default. Must be manually enabled per trail.

Pre-Requisites:

IAM permissions required:

  • cloudtrail:UpdateTrail

  • cloudtrail:GetTrailStatus

  • cloudtrail:DescribeTrails

  • s3:PutBucketPolicy

AWS CLI installed for automation.

Remediation:

Test Plan:

Using AWS Console

Step 1: Check Log File Validation Status

  1. Log in to the AWS Management Console

  2. Navigate to CloudTrail Console → CloudTrail Dashboard

  1. Click Trails in the left panel.

       

  1. Click on each Trail Name.

       

  1. Under General details, check Log file validation = Enabled.

         

  • If enabled, CloudTrail log validation is properly configured.
  • If disabled, follow remediation steps.

Audit Steps Using AWS CLI

Step 1: List All CloudTrails aws cloudtrail describe-trails

This command returns all CloudTrails & their configurations.

Step 2: Check If Log File Validation is Enabled

aws cloudtrail describe-trails --query 'trailList[*].[Name,LogFileValidationEnabled]'

Expected Output (If Log File Validation is Enabled):

[

  ["CloudTrail-Name", true]

]
  • If LogFileValidationEnabled=false, remediation is required.


Implementation:

Method 1: Enable Log File Validation via AWS Console

Step 1: Enable Log Validation

  1. Log in to the AWS Console

  2. Navigate to CloudTrail Console

     

  1. Click Trails → Select the Trail

     

  1. Click Edit under General details

     

  1. Under Advanced settings, check Enable log file validation 

           

  1. Click Save changes

   

Method 2: Enable Log File Validation via AWS CLI

Step 1: Enable Log Validation on a Trail

aws cloudtrail update-trail --name <trail-name> --enable-log-file-validation
  • This command enables cryptographic log validation for the specified CloudTrail.

Method 3: Verify CloudTrail Logs for Integrity

aws cloudtrail validate-logs --trail-arn <trail-arn> --start-time <YYYY-MM-DDTHH:MM:SSZ> --end-time <YYYY-MM-DDTHH:MM:SSZ

Example: Validate logs from the last 24 hours:

aws cloudtrail validate-logs --trail-arn arn:aws:cloudtrail:us-east-1:123456789012:trail/my-trail --start-time 2024-02-09T00:00:00Z --end-time 2024-02-10T00:00:00Z
  • If validation fails, investigate log integrity issues

Backout Plan:

If enabling Log File Validation causes issues:

  • Disable Log File Validation:
aws cloudtrail update-trail --name <trail-name> --no-enable-log-file-validation
  • Verify if Log File Validation is Disabled:
aws cloudtrail describe-trails --query 'trailList[*].[Name,LogFileValidationEnabled]'
Ensure disabling log validation is justified (e.g., cost concerns) before proceeding.


References: