CloudTrail Log File Validation Enabled

Overview

This check verifies that your AWS CloudTrail trails have log file integrity validation enabled. When enabled, CloudTrail generates cryptographically signed digest files that let you verify whether log files delivered to S3 have been modified, deleted, or remained unchanged since delivery.

Risk

Without log file validation enabled, attackers who gain access to your CloudTrail S3 bucket could:

• Modify log entries to hide evidence of their unauthorized activity
• Delete log files to remove traces of data exfiltration or privilege escalation
• Create fake log entries to mislead incident responders
• Undermine forensic investigations because you cannot prove log integrity

This makes your audit trail untrustworthy and can impair compliance with regulations requiring tamper-evident logging.

Remediation Steps

Prerequisites

You need:

• AWS Console access with permissions to modify CloudTrail trails
• An existing CloudTrail trail (or permission to create one)

Required IAM permissions (for administrators)

Your IAM user or role needs these permissions:

• cloudtrail:UpdateTrail
• cloudtrail:DescribeTrails
• cloudtrail:GetTrailStatus

AWS Console Method

1. Open CloudTrail in the AWS Console

   • Go to CloudTrail Console in us-east-1

2. Select your trail

   • Click Trails in the left sidebar
   • Click on the trail name you want to configure

3. Edit the trail settings

   • Click Edit in the General details section

4. Enable log file validation

   • Scroll to Additional settings
   • Check the box for Log file validation (or ensure it's set to Enabled)

5. Save your changes

   • Click Save changes

That's it! CloudTrail will now generate digest files alongside your log files.

AWS CLI (optional)

Enable log file validation on an existing trail:

aws cloudtrail update-trail \
    --name <trail-name> \
    --enable-log-file-validation \
    --region us-east-1

Replace <trail-name> with your actual trail name.

Example with a specific trail:

aws cloudtrail update-trail \
    --name my-organization-trail \
    --enable-log-file-validation \
    --region us-east-1

Expected output:

{
    "Name": "my-organization-trail",
    "S3BucketName": "my-cloudtrail-bucket",
    "LogFileValidationEnabled": true,
    ...
}

CloudFormation (optional)

This template creates a CloudTrail trail with log file validation enabled:

AWSTemplateFormatVersion: '2010-09-09'
Description: CloudTrail trail with log file validation enabled

Parameters:
  TrailName:
    Type: String
    Description: Name of the CloudTrail trail
    Default: my-trail

  S3BucketName:
    Type: String
    Description: S3 bucket where CloudTrail logs will be stored

Resources:
  CloudTrailWithValidation:
    Type: AWS::CloudTrail::Trail
    Properties:
      TrailName: !Ref TrailName
      S3BucketName: !Ref S3BucketName
      IsLogging: true
      EnableLogFileValidation: true
      IncludeGlobalServiceEvents: true
      IsMultiRegionTrail: true

Outputs:
  TrailArn:
    Description: CloudTrail trail ARN
    Value: !GetAtt CloudTrailWithValidation.Arn

  TrailName:
    Description: CloudTrail trail name
    Value: !Ref CloudTrailWithValidation

Deploy with:

aws cloudformation deploy \
    --template-file cloudtrail-validation.yaml \
    --stack-name cloudtrail-log-validation \
    --parameter-overrides TrailName=my-trail S3BucketName=my-cloudtrail-bucket \
    --region us-east-1

Note: Ensure the S3 bucket exists and has the appropriate bucket policy for CloudTrail. See AWS CloudTrail S3 Bucket Policy.

Terraform (optional)

# Variables
variable "trail_name" {
  description = "Name of the CloudTrail trail"
  type        = string
  default     = "my-trail"
}

variable "s3_bucket_name" {
  description = "S3 bucket for CloudTrail logs"
  type        = string
}

# CloudTrail trail with log file validation
resource "aws_cloudtrail" "main" {
  name                          = var.trail_name
  s3_bucket_name                = var.s3_bucket_name
  enable_log_file_validation    = true
  include_global_service_events = true
  is_multi_region_trail         = true
}

# Outputs
output "trail_arn" {
  description = "CloudTrail trail ARN"
  value       = aws_cloudtrail.main.arn
}

output "trail_name" {
  description = "CloudTrail trail name"
  value       = aws_cloudtrail.main.name
}

Deploy with:

terraform init
terraform plan -var="trail_name=my-trail" -var="s3_bucket_name=my-cloudtrail-bucket"
terraform apply -var="trail_name=my-trail" -var="s3_bucket_name=my-cloudtrail-bucket"

Note: Ensure the S3 bucket exists and has the appropriate bucket policy for CloudTrail before applying.

Verification

After enabling log file validation, verify it's working:

1. In the AWS Console:

   • Go to CloudTrail > Trails and select your trail
   • In the General details section, confirm Log file validation shows Enabled

2. Check for digest files in S3:

   • Go to your CloudTrail S3 bucket
   • Navigate to AWSLogs/<account-id>/CloudTrail-Digest/
   • You should see digest files appearing within an hour of enabling validation

CLI verification commands

Check if log file validation is enabled:

aws cloudtrail describe-trails \
    --trail-name-list <trail-name> \
    --region us-east-1 \
    --query 'trailList[0].LogFileValidationEnabled'

The output should be true.

Verify digest files exist in S3:

aws s3 ls s3://<bucket-name>/AWSLogs/<account-id>/CloudTrail-Digest/ \
    --region us-east-1

You should see digest files with names like:

<account-id>_CloudTrail-Digest_us-east-1_<trail-name>_<timestamp>.json.gz

Validate log file integrity (advanced):

AWS provides a CLI command to validate log files against digest files:

aws cloudtrail validate-logs \
    --trail-arn arn:aws:cloudtrail:us-east-1:<account-id>:trail/<trail-name> \
    --start-time 2024-01-01T00:00:00Z \
    --end-time 2024-01-02T00:00:00Z \
    --region us-east-1

This command checks whether log files have been tampered with since delivery.

Additional Resources

• AWS Documentation: Validating CloudTrail Log File Integrity
• AWS Documentation: CloudTrail Digest File Structure
• AWS Documentation: Validating Logs with the AWS CLI
• AWS Security Best Practices: Protect CloudTrail Logs

Notes

• Digest file timing: Digest files are delivered approximately once per hour. After enabling validation, wait at least an hour before checking for digest files.
• No retroactive validation: Log file validation only applies to log files delivered after you enable the feature. Earlier log files cannot be validated.
• S3 bucket protection: For maximum security, also enable:
  • S3 Object Lock to prevent log and digest file deletion
  • MFA Delete to require multi-factor authentication for deletions
  • Versioning to preserve all versions of files
• Cost: There is no additional charge for log file validation. However, storing digest files does incur standard S3 storage costs.
• Multi-region trails: If using a multi-region trail, digest files are stored per-region within the S3 bucket.