Skip to main content

πŸ›‘οΈ AWS CloudTrail Log File Validation is not enabled🟒

  • Contextual name: πŸ›‘οΈ Log File Validation is not enabled🟒
  • ID: /ce/ca/aws/cloudtrail/log-file-validation
  • Tags:
  • Policy Type: COMPLIANCE_POLICY
  • Policy Categories: SECURITY, RELIABILITY

Logic​

Similar Policies​

Similar Internal Rules​

RulePoliciesFlags
βœ‰οΈ dec-x-b1e1a4941

Description​

Open File

Description​

CloudTrail log file validation creates a digitally signed digest file containing a hash of each log that CloudTrail writes to S3. These digest files can be used to determine whether a log file was changed, deleted, or unchanged after CloudTrail delivered the log. It is recommended that file validation be enabled on all CloudTrails.

Rationale​

Enabling log file validation will provide additional integrity checking of CloudTrail logs.

Audit​

Perform the following on each trail to determine if log file validation is enabled:

From Console​

  1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/cloudtrail.

  2. Click on Trails on the left navigation pane.

  3. For Every Trail:

  • Click on a trail via the link in the Name column.
  • Under the General details section, ensure Log file validation is set to Enabled.
From Command Line​

List all trails:

aws cloudtrail describe-trails

Ensure LogFileValidationEnabled is set to true for each trail.

Default Value​

... see more

Remediation​

Open File

Remediation​

Perform one the following to enable log file validation on a given trail:

Using AWS CloudFormation​

  • CloudFormation template (YAML):
AWSTemplateFormatVersion: '2010-09-09'
Description: Enables log file validation on an existing CloudTrail trail.

Parameters:
  TrailName:
    Type: String
    Description: Name of the existing CloudTrail trail

Resources:
  EnableLogFileValidation:
    Type: AWS::CloudTrail::Trail
    Properties:
      TrailName: !Ref TrailName
      EnableLogFileValidation: true

From Console​

  1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/cloudtrail.
  2. Click on Trails on the left navigation pane.
  3. Click on target trail.
  4. Within the General details section click edit.
  5. Under the Advanced settings section.
  6. Check the enable box under Log file validation.
  7. Click Save changes.

From Command Line​

Enable log file validation on a trail:

aws cloudtrail update-trail --name <trail_name> --enable-log-file-validation

Note: periodic validation of logs using these digests can be performed by running the following command:

... see more

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 67a network and user profiling that establishes a baseline of normal activity which, when combined with logging and alerting mechanisms, can enable detection of anomalous activity;1922no data
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [CloudTrail.4] CloudTrail log file validation should be enabled11no data
πŸ’Ό CIS AWS v1.2.0 β†’ πŸ’Ό 2.2 Ensure CloudTrail log file validation is enabled11no data
πŸ’Ό CIS AWS v1.3.0 β†’ πŸ’Ό 3.2 Ensure CloudTrail log file validation is enabled11no data
πŸ’Ό CIS AWS v1.4.0 β†’ πŸ’Ό 3.2 Ensure CloudTrail log file validation is enabled11no data
πŸ’Ό CIS AWS v1.5.0 β†’ πŸ’Ό 3.2 Ensure CloudTrail log file validation is enabled - Level 2 (Automated)11no data
πŸ’Ό CIS AWS v2.0.0 β†’ πŸ’Ό 3.2 Ensure CloudTrail log file validation is enabled - Level 2 (Automated)11no data
πŸ’Ό CIS AWS v3.0.0 β†’ πŸ’Ό 3.2 Ensure CloudTrail log file validation is enabled - Level 2 (Automated)11no data
πŸ’Ό CIS AWS v4.0.0 β†’ πŸ’Ό 3.2 Ensure CloudTrail log file validation is enabled (Automated)1no data
πŸ’Ό CIS AWS v4.0.1 β†’ πŸ’Ό 3.2 Ensure CloudTrail log file validation is enabled (Automated)1no data
πŸ’Ό CIS AWS v5.0.0 β†’ πŸ’Ό 3.2 Ensure CloudTrail log file validation is enabled (Automated)1no data
πŸ’Ό CIS AWS v6.0.0 β†’ πŸ’Ό 4.2 Ensure CloudTrail log file validation is enabled (Automated)1no data
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Logging and Monitoring Configuration60no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-3 Access Enforcement (L)(M)(H)3767no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AU-6(1) Automated Process Integration (M)(H)3no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AU-7(1) Automatic Processing (M)(H)1no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AU-9 Protection of Audit Information (L)(M)(H)3810no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AU-11 Audit Record Retention (L)(M)(H)1618no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό CM-5(1) Automated Access Enforcement and Audit Records (M)(H)78no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό CP-9 System Backup (L)(M)(H)548no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SI-4 System Monitoring (L)(M)(H)145056no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SI-4(4) Inbound and Outbound Communications Traffic (M)(H)68no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SI-7(1) Integrity Checks (M)(H)1no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SI-7(7) Integration of Detection and Response (M)(H)1no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό AC-3 Access Enforcement (L)(M)(H)67no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό AU-9 Protection of Audit Information (L)(M)(H)10no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό AU-11 Audit Record Retention (L)(M)(H)18no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό CP-9 System Backup (L)(M)(H)7no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό SI-4 System Monitoring (L)(M)(H)8no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-3 Access Enforcement (L)(M)(H)67no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AU-6(1) Automated Process Integration (M)(H)3no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AU-7(1) Automatic Processing (M)(H)1no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AU-9 Protection of Audit Information (L)(M)(H)110no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AU-11 Audit Record Retention (L)(M)(H)18no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό CM-5(1) Automated Access Enforcement and Audit Records (M)(H)8no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό CP-9 System Backup (L)(M)(H)28no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SI-4 System Monitoring (L)(M)(H)79no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SI-4(4) Inbound and Outbound Communications Traffic (M)(H)8no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SI-7(1) Integrity Checks (M)(H)1no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SI-7(7) Integration of Detection and Response (M)(H)1no data
πŸ’Ό GDPR β†’ πŸ’Ό Art. 25 Data protection by design and by default1010no data
πŸ’Ό GDPR β†’ πŸ’Ό Art. 32 Security of processing55no data
πŸ’Ό ISO/IEC 27001:2013 β†’ πŸ’Ό A.12.4.2 Protection of log information12no data
πŸ’Ό ISO/IEC 27001:2013 β†’ πŸ’Ό A.12.4.3 Administrator and operator logs78no data
πŸ’Ό ISO/IEC 27001:2013 β†’ πŸ’Ό A.18.1.3 Protection of records13no data
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 5.25 Assessment and decision on information security events13no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό DE.AE-1: A baseline of network operations and expected data flows for users and systems is established and managed1014no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό DE.AE-2: Detected events are analyzed to understand attack targets and methods1823no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό DE.AE-3: Event data are collected and correlated from multiple sources and sensors1837no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό DE.AE-4: Impact of events is determined1313no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό DE.CM-1: The network is monitored to detect potential cybersecurity events1841no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό DE.CM-3: Personnel activity is monitored to detect potential cybersecurity events2026no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό DE.CM-5: Unauthorized mobile code is detected1111no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό DE.CM-6: External service provider activity is monitored to detect potential cybersecurity events66no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό DE.CM-7: Monitoring for unauthorized personnel, connections, devices, and software is performed1823no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό DE.DP-2: Detection activities comply with all applicable requirements66no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό DE.DP-3: Detection processes are tested1313no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό DE.DP-4: Event detection information is communicated2932no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό DE.DP-5: Detection processes are continuously improved1315no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό ID.GV-3: Legal and regulatory requirements regarding cybersecurity, including privacy and civil liberties obligations, are understood and managed13no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό ID.RA-1: Asset vulnerabilities are identified and documented1315no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.IP-4: Backups of information are conducted, maintained, and tested47no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.IP-8: Effectiveness of protection technologies is shared66no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.PT-1: Audit/log records are determined, documented, implemented, and reviewed in accordance with policy1632no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό RS.AN-1: Notifications from detection systems are investigated1823no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.AE-02: Potentially adverse events are analyzed to better understand associated activities33no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.AE-03: Information is correlated from multiple sources48no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.AE-04: The estimated impact and scope of adverse events are understood13no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.AE-06: Information on adverse events is provided to authorized staff and tools32no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.AE-07: Cyber threat intelligence and other contextual information are integrated into the analysis37no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-01: Networks and network services are monitored to find potentially adverse events120no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-03: Personnel activity and technology usage are monitored to find potentially adverse events83no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-06: External service provider activities and services are monitored to find potentially adverse events33no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events139no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό GV.OC-03: Legal, regulatory, and contractual requirements regarding cybersecurity - including privacy and civil liberties obligations - are understood and managed6no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.AM-03: Representations of the organization's authorized network communication and internal and external network data flows are maintained48no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.IM-01: Improvements are identified from evaluations25no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.IM-02: Improvements are identified from security tests and exercises, including those done in coordination with suppliers and relevant third parties38no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.IM-03: Improvements are identified from execution of operational processes, procedures, and activities39no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.RA-01: Vulnerabilities in assets are identified, validated, and recorded29no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected118no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected98no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected112no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-11: Backups of data are created, protected, maintained, and tested9no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό RS.MA-02: Incident reports are triaged and validated24no data
πŸ’Ό NIST SP 800-53 Revision 4 β†’ πŸ’Ό AU-10 NON-REPUDIATION511no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AU-6(1) Audit Record Review, Analysis, and Reporting _ Automated Process Integration13no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AU-7(1) Audit Record Reduction and Report Generation _ Automatic Processing11no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AU-9 Protection of Audit Information724no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SI-4 System Monitoring25110no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SI-7(1) Software, Firmware, and Information Integrity _ Integrity Checks1no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SI-7(3) Software, Firmware, and Information Integrity _ Centrally Managed Integrity Tools1no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SI-7(7) Software, Firmware, and Information Integrity _ Integration of Detection and Response1no data
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 10.5 Secure audit trails so they cannot be altered.515no data
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 10.5.2 Protect audit trail files from unauthorized modifications.14no data
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 10.5.5 Use file-integrity monitoring or change-detection software on logs to ensure that existing log data cannot be changed without generating alerts.12no data
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 10.3.2 Audit log files are protected to prevent modifications by individuals.4no data
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 10.3.4 File integrity monitoring or change-detection mechanisms is used on audit logs to ensure that existing log data cannot be changed without generating alerts.2no data
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 10.3.2 Audit log files are protected to prevent modifications by individuals.24no data
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 10.3.4 File integrity monitoring or change-detection mechanisms is used on audit logs to ensure that existing log data cannot be changed without generating alerts.22no data
πŸ’Ό SOC 2 β†’ πŸ’Ό CC4.2-3 Monitors Corrective Action66no data
πŸ’Ό SOC 2 β†’ πŸ’Ό CC5.2-3 Establishes Relevant Security Management Process Controls Activities1535no data
πŸ’Ό SOC 2 β†’ πŸ’Ό CC7.1-2 Monitors Infrastructure and Software811no data