Profile Applicability
- Level 1
Description:
CloudTrail log file validation ensures the integrity of the log files generated by AWS CloudTrail. Enabling log file validation creates a cryptographic hash of each CloudTrail log file, which helps verify that the logs have not been tampered with after being delivered. This feature ensures that CloudTrail logs remain authentic and provides assurance that no unauthorized modifications have been made.
Enabling log file validation for CloudTrail ensures that the integrity of your audit logs is preserved, which is essential for security auditing and compliance.
Rationale:
Log file validation for CloudTrail provides the following benefits:
Integrity and authenticity: It ensures that CloudTrail logs are complete and have not been tampered with.
Compliance: Helps meet regulatory requirements for log integrity, such as SOC 2, HIPAA, and PCI-DSS.
Accountability: Prevents log manipulation, ensuring that audit logs can be used as an accurate record of AWS account activity.
Without log file validation, it becomes difficult to prove the authenticity of the CloudTrail logs, which can undermine their value during audits or investigations.
Impact:
Failure to enable CloudTrail log file validation can result in:
Potential tampering with CloudTrail logs, which could lead to inaccurate audit trails.
Inability to verify the integrity of CloudTrail logs, making it difficult to detect malicious activity or unauthorized changes.
Non-compliance with regulatory standards that require log file integrity and validation.
Enabling this feature ensures that CloudTrail logs are tamper-proof, increasing trust in the logs for auditing and incident investigations.
Default Value:
By default, CloudTrail log file validation is not enabled. You must manually enable this feature for each CloudTrail trail to ensure that logs are validated.
Pre-Requisites:
AWS CLI installed and configured
IAM permissions:
cloudtrail:DescribeTrails
cloudtrail:UpdateTrail
CloudTrail must be enabled and configured to deliver logs to an S3 bucket
Remediation:
Test Plan:
Using AWS Console:
Go to the CloudTrail Console.
Verify that Log File Validation is enabled for the CloudTrail trail.
Check that CloudTrail is delivering logs to an S3 bucket and the logs are being validated by CloudTrail.
Using AWS CLI :
aws cloudtrail describe-trails --query "TrailList[?LogFileValidationEnabled==`true`].{TrailName:Name, LogFileValidationEnabled:LogFileValidationEnabled}" --output tableImplementation Plan:
Using AWS Console:
Enable log file validation for CloudTrail logs:
Go to the CloudTrail Console.
Select the trail for which you want to enable log file validation.
Under the Log File Validation section, choose Enable and save the changes.
Verify log file validation:
In the CloudTrail Console, confirm that Log File Validation is marked as enabled for the selected trail.
Ensure that logs are being stored in the designated S3 bucket.
Using AWS CLI:
Enable log file validation for CloudTrail trail:
aws cloudtrail update-trail --name <trail-name> --enable-log-file-validation
Verify log file validation:
aws cloudtrail describe-trails --query "TrailList[?LogFileValidationEnabled==`true`].{TrailName:Name, LogFileValidationEnabled:LogFileValidationEnabled}" --output tableBackout Plan:
Using AWS Console:
If log file validation causes performance issues or excessive resource usage:
Go to the CloudTrail Console.
Disable log file validation for the CloudTrail trail by selecting Disable in the Log File Validation section.
Modify CloudTrail settings to reduce the frequency or scope of log file validation if necessary.
Using AWS CLI:
Temporarily disable log file validation:
aws cloudtrail update-trail --name <trail-name> --no-enable-log-file-validation
Stop CloudTrail logging if necessary:
aws cloudtrail stop-logging --name <trail-name>
Re-enable monitoring once issues are resolved:
aws cloudtrail start-logging --name <trail-name> aws cloudtrail update-trail --name <trail-name> --enable-log-file-validation