Profile Applicability:

  • Level 1


Description:
This control ensures that AWS CloudTrail log file validation is enabled to detect any modifications to CloudTrail logs after delivery. When enabled, CloudTrail creates a digest file containing hashes of the delivered log files, allowing verification of the integrity and authenticity of the logs. This feature helps ensure that security, compliance, and audit teams can trust the validity of CloudTrail logs.


Rationale:
Enabling CloudTrail log file validation ensures the integrity of audit logs, which are critical for investigations, compliance, and incident response. Without validation, unauthorized changes or deletions could go unnoticed, compromising forensic analysis. Log file validation allows organizations to verify that log data has not been tampered with after delivery, supporting non-repudiation and regulatory compliance.


Impact:
Positive Impact: Enhances log integrity, supports forensic accuracy, and improves compliance with regulatory requirements.
Negative Impact: Slight increase in S3 storage costs due to the creation of additional digest files.


Default Value:
By default, CloudTrail log file validation is disabled.


Pre-Requisite:

  • CloudTrail must be enabled in all regions.
  • The S3 bucket used for CloudTrail log storage must be properly configured with the correct permissions.
  • IAM permissions required: cloudtrail:UpdateTrail, cloudtrail:GetTrailStatus, and cloudtrail:DescribeTrails.


Remediation

Test Plan

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to CloudTrail → Trails.

  3. Select an existing trail.

  4. In the General details section, check if Log file validation is Enabled.

  5. If not enabled, note that the organization is not compliant with this control.


Implementation Plan

Using AWS Console:

  1. Go to the AWS CloudTrail Console.

  2. Select Trails from the navigation pane.

  3. Choose the trail for which you want to enable log file validation.

  4. In the General details section, click Edit.

  5. Under Additional settings, select Enable log file validation.

  6. Click Save changes.

  7. Confirm that the Log file validation status now shows Enabled.


Backout Plan

Using AWS Console:

  1. Go to the AWS CloudTrail Console.
  2. Select Trails → choose the trail with validation enabled.
  3. Click Edit.
  4. Uncheck the Enable log file validation option.
  5. Click Save changes to disable log file validation.


References: