CloudTrail Trail Log File Integrity Validation Not Enabled

Overview

CloudTrail log file validation creates a digitally signed digest file containing a hash of each log that CloudTrail writes to S3. These digest files can be used to determine whether a log file was changed, deleted, or unchanged after CloudTrail delivered the log. It is recommended that file validation be enabled on all CloudTrails.

The CloudTrail User Guide also explains the importance of log file integrity validation:

Validated log files are invaluable in security and forensic investigations. For example, a validated log file enables you to assert positively that the log file itself has not changed, or that particular user credentials performed specific API activity. The CloudTrail log file integrity validation process also lets you know if a log file has been deleted or changed, or assert positively that no log files were delivered to your account during a given period of time.

Securing logs against tampering is a requirement in most major security frameworks, including PCI-DSS (requirement 10.5), HIPAA, CIS Benchmarks, and NIST 800-53 (AU-9).

Vendor

AWS

Cloud Service

CloudTrail

CIS AWS v1.5.0 3.2, CloudTrail.4

References

https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-log-file-validation-intro.html, https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf, https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final

Severity

Item Types

AWS::CloudTrail::Trail

Overview​

Vendor​

Cloud Service​

Related Controls​

References​

Severity​

Item Types​