---
names:
  full: AWS CloudTrail Log File Validation is not enabled
  contextual: Log File Validation is not enabled
description: "CloudTrail log file validation creates a digitally signed digest file\
  \ containing a hash of each log that CloudTrail writes to S3. These digest files\
  \ can be used to determine whether a log file was changed, deleted, or unchanged\
  \ after CloudTrail delivered the log. It is recommended that file validation be\
  \ enabled on all CloudTrails."
type: COMPLIANCE_POLICY
categories:
  - "SECURITY"
  - "RELIABILITY"
frameworkMappings:
  - "/frameworks/cis-aws-v6.0.0/04/02"
  - "/frameworks/cloudaware/logging-and-monitoring/logging-and-monitoring-configuration"
  - "/frameworks/aws-fsbp-v1.0.0/cloudtrail/04"
similarPolicies:
  awsSecurityHub:
    - name: "[CloudTrail.4] CloudTrail log file validation should be enabled"
      url: "https://docs.aws.amazon.com/securityhub/latest/userguide/cloudtrail-controls.html#cloudtrail-4"
  cloudConformity:
    - url: https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/CloudTrail/cloudtrail-log-file-integrity-validation.html
      name: CloudTrail Log File Integrity Validation
  internal:
    - dec-x-b1e1a494