CloudTrail log file validation should be enabled


It is recommended that file validation be enabled on all CloudTrail logs because it provides additional integrity checking of the log data.

Console Remediation Steps

  • Navigate to CloudTrail.

  • In the left navigation, click Trails.

  • Click the target trail.

  • Within the S3 section click on the edit pencil icon.

  • In Enable log file validation, select Yes.

  • Click Save.

CLI Remediation Steps

  • Get a list of all CloudTrail trails and view their configuration:

    • aws cloudtrail describe-trails

  • Update any trail that has “LogFileVaidationEnabled” set to false:

    • aws cloudtrail update-trail --name <trail_name> --enable-log-file-validation