CloudTrail log file validation should be enabled

Description

It is recommended that file validation be enabled on all CloudTrail logs because it provides additional integrity checking of the log data.

Remediation Steps

AWS Console

• Navigate to CloudTrail.

• In the left navigation, click Trails.

• Click the target trail.

• Within General details, click Edit.

• Scroll down to Additional settings, and enable Log file validation.

• Click Save changes.

AWS CLI

• Get a list of all CloudTrail trails and view their configuration:

  • aws cloudtrail describe-trails

• Update any trail that has “LogFileVaidationEnabled” set to false:

  • aws cloudtrail update-trail --name <trail_name> --enable-log-file-validation

CloudFormation

JSON

• Ensure that an AWS::CloudTrail::Trail resource has the EnableLogFileValidation field set to true:

{
  "Properties": {
    "EnableLogFileValidation": true
  }
}

JSON Example Configuration

{
  "Type": "AWS::CloudTrail::Trail",
  "Properties": {
    "EnableLogFileValidation": true
  }
  # other required fields here
}

YAML

• Ensure that an AWS::CloudTrail::Trail resource has the EnableLogFileValidation field set to true:

Properties:
  EnableLogFileValidation: true

YAML Example Configuration

Type: AWS::CloudTrail::Trail
Properties:
  EnableLogFileValidation: true
# other required fields here

Terraform

• Ensure that a aws_cloudtrail resource has the enable_log_file_validation field set to true.

Example Configuration

resource "aws_cloudtrail" "example" {
  enable_log_file_validation = true
  # other required fields here
}

Documentation Links

Runtime

• Console: Enabling Log File Integrity Validation for CloudTrail

• CLI: Update a CloudTrail Trail

CloudFormation

• Resource: AWS::CloudTrail::Trail

  • Field: EnableLogFileValidation

Terraform

• Resource: aws_cloudtrail

  • Field: enable_log_file_validation