📝 AWS CloudTrail Log File Validation is not enabled 🟢

Contextual name: 📝 Log File Validation is not enabled 🟢
ID: /ce/ca/aws/cloudtrail/log-file-validation
Located in: 📁 AWS CloudTrail

Flags

Our Metadata

Policy Type: COMPLIANCE_POLICY
Policy Category:
- SECURITY
- RELIABILITY

Similar Policies

Cloud Conformity
- CloudTrail Log File Integrity Validation
Internal
- dec-x-b1e1a494

Similar Internal Rules

Rule	Policies	Flags
✉️ dec-x-b1e1a494	1

Logic

🧠 prod.logic.yaml 🟢
- 📕 AWS CloudTrail Trail
- 🔌 AWS CloudTrail Trail - object.extracts.yaml
- 🧪 test-data.json

Description

Open File

Description

CloudTrail log file validation creates a digitally signed digest file containing a hash of each log that CloudTrail writes to S3. These digest files can be used to determine whether a log file was changed, deleted, or unchanged after CloudTrail delivered the log. It is recommended that file validation be enabled on all CloudTrails.

Rationale

Enabling log file validation will provide additional integrity checking of CloudTrail logs.

Audit

Perform the following on each trail to determine if log file validation is enabled:

From Console

Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/cloudtrail.

Click on Trails on the left navigation pane.

For Every Trail:

Click on a trail via the link in the Name column.

Under the General details section, ensure Log file validation is set to Enabled.

From Command Line

List all trails:
aws cloudtrail describe-trails
Ensure LogFileValidationEnabled is set to true for each trail.

Default Value

... see more

Remediation

Open File

Remediation

Perform the following to enable log file validation on a given trail:

From Console

Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/cloudtrail.

Click on Trails on the left navigation pane.

Click on target trail.

Within the General details section click edit.

Under the Advanced settings section.

Check the enable box under Log file validation.

Click Save changes.

From Command Line

Enable log file validation on a trail:
aws cloudtrail update-trail --name <trail_name> --enable-log-file-validation
Note: periodic validation of logs using these digests can be performed by running the following command:
aws cloudtrail validate-logs --trail-arn <trail_arn> --start-time <start_time> --end-time <end_time>

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies
💼 APRA CPG 234 → 💼 67a network and user profiling that establishes a baseline of normal activity which, when combined with logging and alerting mechanisms, can enable detection of anomalous activity;		18	21
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [CloudTrail.4] CloudTrail log file validation should be enabled		1	1
💼 CIS AWS v1.2.0 → 💼 2.2 Ensure CloudTrail log file validation is enabled		1	1
💼 CIS AWS v1.3.0 → 💼 3.2 Ensure CloudTrail log file validation is enabled		1	1
💼 CIS AWS v1.4.0 → 💼 3.2 Ensure CloudTrail log file validation is enabled		1	1
💼 CIS AWS v1.5.0 → 💼 3.2 Ensure CloudTrail log file validation is enabled - Level 2 (Automated)		1	1
💼 CIS AWS v2.0.0 → 💼 3.2 Ensure CloudTrail log file validation is enabled - Level 2 (Automated)		1	1
💼 CIS AWS v3.0.0 → 💼 3.2 Ensure CloudTrail log file validation is enabled - Level 2 (Automated)		1	1
💼 CIS AWS v4.0.0 → 💼 3.2 Ensure CloudTrail log file validation is enabled (Automated)			1
💼 CIS AWS v4.0.1 → 💼 3.2 Ensure CloudTrail log file validation is enabled (Automated)			1
💼 CIS AWS v5.0.0 → 💼 3.2 Ensure CloudTrail log file validation is enabled (Automated)			1
💼 Cloudaware Framework → 💼 Logging and Monitoring Configuration			49
💼 FedRAMP High Security Controls → 💼 AC-3 Access Enforcement (L)(M)(H)		37	47
💼 FedRAMP High Security Controls → 💼 AU-6(1) Automated Process Integration (M)(H)			1
💼 FedRAMP High Security Controls → 💼 AU-7(1) Automatic Processing (M)(H)			1
💼 FedRAMP High Security Controls → 💼 AU-9 Protection of Audit Information (L)(M)(H)	3	9	11
💼 FedRAMP High Security Controls → 💼 AU-11 Audit Record Retention (L)(M)(H)		17	19
💼 FedRAMP High Security Controls → 💼 CM-5(1) Automated Access Enforcement and Audit Records (M)(H)		8	9
💼 FedRAMP High Security Controls → 💼 CP-9 System Backup (L)(M)(H)	5	5	6
💼 FedRAMP High Security Controls → 💼 SI-4 System Monitoring (L)(M)(H)	14	48	51
💼 FedRAMP High Security Controls → 💼 SI-4(4) Inbound and Outbound Communications Traffic (M)(H)		7	9
💼 FedRAMP High Security Controls → 💼 SI-7(1) Integrity Checks (M)(H)			1
💼 FedRAMP High Security Controls → 💼 SI-7(7) Integration of Detection and Response (M)(H)			1
💼 FedRAMP Low Security Controls → 💼 AC-3 Access Enforcement (L)(M)(H)			47
💼 FedRAMP Low Security Controls → 💼 AU-9 Protection of Audit Information (L)(M)(H)			11
💼 FedRAMP Low Security Controls → 💼 AU-11 Audit Record Retention (L)(M)(H)			19
💼 FedRAMP Low Security Controls → 💼 CP-9 System Backup (L)(M)(H)			6
💼 FedRAMP Low Security Controls → 💼 SI-4 System Monitoring (L)(M)(H)			7
💼 FedRAMP Moderate Security Controls → 💼 AC-3 Access Enforcement (L)(M)(H)			47
💼 FedRAMP Moderate Security Controls → 💼 AU-6(1) Automated Process Integration (M)(H)			1
💼 FedRAMP Moderate Security Controls → 💼 AU-7(1) Automatic Processing (M)(H)			1
💼 FedRAMP Moderate Security Controls → 💼 AU-9 Protection of Audit Information (L)(M)(H)	1		11
💼 FedRAMP Moderate Security Controls → 💼 AU-11 Audit Record Retention (L)(M)(H)			19
💼 FedRAMP Moderate Security Controls → 💼 CM-5(1) Automated Access Enforcement and Audit Records (M)(H)			9
💼 FedRAMP Moderate Security Controls → 💼 CP-9 System Backup (L)(M)(H)	2		6
💼 FedRAMP Moderate Security Controls → 💼 SI-4 System Monitoring (L)(M)(H)	7		9
💼 FedRAMP Moderate Security Controls → 💼 SI-4(4) Inbound and Outbound Communications Traffic (M)(H)			9
💼 FedRAMP Moderate Security Controls → 💼 SI-7(1) Integrity Checks (M)(H)			1
💼 FedRAMP Moderate Security Controls → 💼 SI-7(7) Integration of Detection and Response (M)(H)			1
💼 GDPR → 💼 Art. 25 Data protection by design and by default		10	10
💼 GDPR → 💼 Art. 32 Security of processing		5	5
💼 ISO/IEC 27001:2013 → 💼 A.12.4.2 Protection of log information		2	2
💼 ISO/IEC 27001:2013 → 💼 A.12.4.3 Administrator and operator logs		8	9
💼 ISO/IEC 27001:2013 → 💼 A.18.1.3 Protection of records		2	2
💼 ISO/IEC 27001:2022 → 💼 5.25 Assessment and decision on information security events		1	1
💼 NIST CSF v1.1 → 💼 DE.AE-1: A baseline of network operations and expected data flows for users and systems is established and managed		10	11
💼 NIST CSF v1.1 → 💼 DE.AE-2: Detected events are analyzed to understand attack targets and methods		19	22
💼 NIST CSF v1.1 → 💼 DE.AE-3: Event data are collected and correlated from multiple sources and sensors		19	22
💼 NIST CSF v1.1 → 💼 DE.AE-4: Impact of events is determined		14	14
💼 NIST CSF v1.1 → 💼 DE.CM-1: The network is monitored to detect potential cybersecurity events		19	28
💼 NIST CSF v1.1 → 💼 DE.CM-3: Personnel activity is monitored to detect potential cybersecurity events		21	24
💼 NIST CSF v1.1 → 💼 DE.CM-5: Unauthorized mobile code is detected		11	11
💼 NIST CSF v1.1 → 💼 DE.CM-6: External service provider activity is monitored to detect potential cybersecurity events		7	7
💼 NIST CSF v1.1 → 💼 DE.CM-7: Monitoring for unauthorized personnel, connections, devices, and software is performed		19	23
💼 NIST CSF v1.1 → 💼 DE.DP-2: Detection activities comply with all applicable requirements		7	7
💼 NIST CSF v1.1 → 💼 DE.DP-3: Detection processes are tested		14	14
💼 NIST CSF v1.1 → 💼 DE.DP-4: Event detection information is communicated		30	33
💼 NIST CSF v1.1 → 💼 DE.DP-5: Detection processes are continuously improved		14	16
💼 NIST CSF v1.1 → 💼 ID.GV-3: Legal and regulatory requirements regarding cybersecurity, including privacy and civil liberties obligations, are understood and managed		2	2
💼 NIST CSF v1.1 → 💼 ID.RA-1: Asset vulnerabilities are identified and documented		14	15
💼 NIST CSF v1.1 → 💼 PR.IP-4: Backups of information are conducted, maintained, and tested		5	5
💼 NIST CSF v1.1 → 💼 PR.IP-8: Effectiveness of protection technologies is shared		7	7
💼 NIST CSF v1.1 → 💼 PR.PT-1: Audit/log records are determined, documented, implemented, and reviewed in accordance with policy		17	20
💼 NIST CSF v1.1 → 💼 RS.AN-1: Notifications from detection systems are investigated		19	22
💼 NIST CSF v2.0 → 💼 DE.AE-02: Potentially adverse events are analyzed to better understand associated activities			26
💼 NIST CSF v2.0 → 💼 DE.AE-03: Information is correlated from multiple sources			26
💼 NIST CSF v2.0 → 💼 DE.AE-04: The estimated impact and scope of adverse events are understood			14
💼 NIST CSF v2.0 → 💼 DE.AE-06: Information on adverse events is provided to authorized staff and tools			33
💼 NIST CSF v2.0 → 💼 DE.AE-07: Cyber threat intelligence and other contextual information are integrated into the analysis			22
💼 NIST CSF v2.0 → 💼 DE.CM-01: Networks and network services are monitored to find potentially adverse events			83
💼 NIST CSF v2.0 → 💼 DE.CM-03: Personnel activity and technology usage are monitored to find potentially adverse events			59
💼 NIST CSF v2.0 → 💼 DE.CM-06: External service provider activities and services are monitored to find potentially adverse events			27
💼 NIST CSF v2.0 → 💼 DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events			89
💼 NIST CSF v2.0 → 💼 GV.OC-03: Legal, regulatory, and contractual requirements regarding cybersecurity - including privacy and civil liberties obligations - are understood and managed			2
💼 NIST CSF v2.0 → 💼 ID.AM-03: Representations of the organization's authorized network communication and internal and external network data flows are maintained			31
💼 NIST CSF v2.0 → 💼 ID.IM-01: Improvements are identified from evaluations			10
💼 NIST CSF v2.0 → 💼 ID.IM-02: Improvements are identified from security tests and exercises, including those done in coordination with suppliers and relevant third parties			23
💼 NIST CSF v2.0 → 💼 ID.IM-03: Improvements are identified from execution of operational processes, procedures, and activities			24
💼 NIST CSF v2.0 → 💼 ID.RA-01: Vulnerabilities in assets are identified, validated, and recorded			22
💼 NIST CSF v2.0 → 💼 PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected			82
💼 NIST CSF v2.0 → 💼 PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected			69
💼 NIST CSF v2.0 → 💼 PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected			67
💼 NIST CSF v2.0 → 💼 PR.DS-11: Backups of data are created, protected, maintained, and tested			6
💼 NIST CSF v2.0 → 💼 RS.MA-02: Incident reports are triaged and validated			22
💼 NIST SP 800-53 Revision 4 → 💼 AU-10 NON-REPUDIATION	5	1	1
💼 NIST SP 800-53 Revision 5 → 💼 AU-6(1) Audit Record Review, Analysis, and Reporting _ Automated Process Integration		1	1
💼 NIST SP 800-53 Revision 5 → 💼 AU-7(1) Audit Record Reduction and Report Generation _ Automatic Processing		1	1
💼 NIST SP 800-53 Revision 5 → 💼 AU-9 Protection of Audit Information	7	2	4
💼 NIST SP 800-53 Revision 5 → 💼 SI-4 System Monitoring	25	2	6
💼 NIST SP 800-53 Revision 5 → 💼 SI-7(1) Software, Firmware, and Information Integrity _ Integrity Checks			1
💼 NIST SP 800-53 Revision 5 → 💼 SI-7(3) Software, Firmware, and Information Integrity _ Centrally Managed Integrity Tools			1
💼 NIST SP 800-53 Revision 5 → 💼 SI-7(7) Software, Firmware, and Information Integrity _ Integration of Detection and Response			1
💼 PCI DSS v3.2.1 → 💼 10.5 Secure audit trails so they cannot be altered.	5	2	4
💼 PCI DSS v3.2.1 → 💼 10.5.2 Protect audit trail files from unauthorized modifications.		2	4
💼 PCI DSS v3.2.1 → 💼 10.5.5 Use file-integrity monitoring or change-detection software on logs to ensure that existing log data cannot be changed without generating alerts.		1	1
💼 PCI DSS v4.0.1 → 💼 10.3.2 Audit log files are protected to prevent modifications by individuals.			4
💼 PCI DSS v4.0.1 → 💼 10.3.4 File integrity monitoring or change-detection mechanisms is used on audit logs to ensure that existing log data cannot be changed without generating alerts.			1
💼 PCI DSS v4.0 → 💼 10.3.2 Audit log files are protected to prevent modifications by individuals.			4
💼 PCI DSS v4.0 → 💼 10.3.4 File integrity monitoring or change-detection mechanisms is used on audit logs to ensure that existing log data cannot be changed without generating alerts.			1

Flags​

Our Metadata​

Similar Policies​

Similar Internal Rules​

Logic​

Description​

Description​

Rationale​

Audit​

From Console​

From Command Line​

Default Value​

Remediation​

Remediation​

From Console​

From Command Line​

policy.yaml​

Linked Framework Sections​

Flags

Our Metadata

Similar Policies

Similar Internal Rules

Logic

Description

Description

Rationale

Audit

From Console

From Command Line

Default Value

Remediation

Remediation

From Console

From Command Line

policy.yaml

Linked Framework Sections