Skip to main content

πŸ“ AWS CloudTrail Log File Validation is not enabled 🟒

  • Contextual name: πŸ“ Log File Validation is not enabled 🟒
  • ID: /ce/ca/aws/cloudtrail/log-file-validation
  • Located in: πŸ“ AWS CloudTrail

Flags​

Our Metadata​

  • Policy Type: COMPLIANCE_POLICY
  • Policy Category:
    • SECURITY
    • RELIABILITY

Similar Policies​

Similar Internal Rules​

RulePoliciesFlags
βœ‰οΈ dec-x-b1e1a4941

Logic​

Description​

Open File

Description​

CloudTrail log file validation creates a digitally signed digest file containing a hash of each log that CloudTrail writes to S3. These digest files can be used to determine whether a log file was changed, deleted, or unchanged after CloudTrail delivered the log. It is recommended that file validation be enabled on all CloudTrails.

Rationale​

Enabling log file validation will provide additional integrity checking of CloudTrail logs.

Audit​

Perform the following on each trail to determine if log file validation is enabled:

From Console​

  1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/cloudtrail.

  2. Click on Trails on the left navigation pane.

  3. For Every Trail:

  • Click on a trail via the link in the Name column.
  • Under the General details section, ensure Log file validation is set to Enabled.
From Command Line​

List all trails:

aws cloudtrail describe-trails

Ensure LogFileValidationEnabled is set to true for each trail.

Default Value​

... see more

Remediation​

Open File

Remediation​

Perform one the following to enable log file validation on a given trail:

Using AWS CloudFormation​

  • CloudFormation template (YAML):
AWSTemplateFormatVersion: '2010-09-09'
Description: Enables log file validation on an existing CloudTrail trail.

Parameters:
  TrailName:
    Type: String
    Description: Name of the existing CloudTrail trail

Resources:
  EnableLogFileValidation:
    Type: AWS::CloudTrail::Trail
    Properties:
      TrailName: !Ref TrailName
      EnableLogFileValidation: true

From Console​

  1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/cloudtrail.
  2. Click on Trails on the left navigation pane.
  3. Click on target trail.
  4. Within the General details section click edit.
  5. Under the Advanced settings section.
  6. Check the enable box under Log file validation.
  7. Click Save changes.

From Command Line​

Enable log file validation on a trail:

aws cloudtrail update-trail --name <trail_name> --enable-log-file-validation

Note: periodic validation of logs using these digests can be performed by running the following command:

... see more

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 67a network and user profiling that establishes a baseline of normal activity which, when combined with logging and alerting mechanisms, can enable detection of anomalous activity;1922
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [CloudTrail.4] CloudTrail log file validation should be enabled11
πŸ’Ό CIS AWS v1.2.0 β†’ πŸ’Ό 2.2 Ensure CloudTrail log file validation is enabled11
πŸ’Ό CIS AWS v1.3.0 β†’ πŸ’Ό 3.2 Ensure CloudTrail log file validation is enabled11
πŸ’Ό CIS AWS v1.4.0 β†’ πŸ’Ό 3.2 Ensure CloudTrail log file validation is enabled11
πŸ’Ό CIS AWS v1.5.0 β†’ πŸ’Ό 3.2 Ensure CloudTrail log file validation is enabled - Level 2 (Automated)11
πŸ’Ό CIS AWS v2.0.0 β†’ πŸ’Ό 3.2 Ensure CloudTrail log file validation is enabled - Level 2 (Automated)11
πŸ’Ό CIS AWS v3.0.0 β†’ πŸ’Ό 3.2 Ensure CloudTrail log file validation is enabled - Level 2 (Automated)11
πŸ’Ό CIS AWS v4.0.0 β†’ πŸ’Ό 3.2 Ensure CloudTrail log file validation is enabled (Automated)1
πŸ’Ό CIS AWS v4.0.1 β†’ πŸ’Ό 3.2 Ensure CloudTrail log file validation is enabled (Automated)1
πŸ’Ό CIS AWS v5.0.0 β†’ πŸ’Ό 3.2 Ensure CloudTrail log file validation is enabled (Automated)1
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Logging and Monitoring Configuration59
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-3 Access Enforcement (L)(M)(H)3764
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AU-6(1) Automated Process Integration (M)(H)1
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AU-7(1) Automatic Processing (M)(H)1
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AU-9 Protection of Audit Information (L)(M)(H)3810
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AU-11 Audit Record Retention (L)(M)(H)1618
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό CM-5(1) Automated Access Enforcement and Audit Records (M)(H)78
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό CP-9 System Backup (L)(M)(H)548
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SI-4 System Monitoring (L)(M)(H)145054
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SI-4(4) Inbound and Outbound Communications Traffic (M)(H)67
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SI-7(1) Integrity Checks (M)(H)1
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SI-7(7) Integration of Detection and Response (M)(H)1
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό AC-3 Access Enforcement (L)(M)(H)64
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό AU-9 Protection of Audit Information (L)(M)(H)10
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό AU-11 Audit Record Retention (L)(M)(H)18
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό CP-9 System Backup (L)(M)(H)7
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό SI-4 System Monitoring (L)(M)(H)7
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-3 Access Enforcement (L)(M)(H)64
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AU-6(1) Automated Process Integration (M)(H)1
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AU-7(1) Automatic Processing (M)(H)1
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AU-9 Protection of Audit Information (L)(M)(H)110
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AU-11 Audit Record Retention (L)(M)(H)18
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό CM-5(1) Automated Access Enforcement and Audit Records (M)(H)8
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό CP-9 System Backup (L)(M)(H)28
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SI-4 System Monitoring (L)(M)(H)78
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SI-4(4) Inbound and Outbound Communications Traffic (M)(H)7
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SI-7(1) Integrity Checks (M)(H)1
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SI-7(7) Integration of Detection and Response (M)(H)1
πŸ’Ό GDPR β†’ πŸ’Ό Art. 25 Data protection by design and by default1010
πŸ’Ό GDPR β†’ πŸ’Ό Art. 32 Security of processing55
πŸ’Ό ISO/IEC 27001:2013 β†’ πŸ’Ό A.12.4.2 Protection of log information12
πŸ’Ό ISO/IEC 27001:2013 β†’ πŸ’Ό A.12.4.3 Administrator and operator logs78
πŸ’Ό ISO/IEC 27001:2013 β†’ πŸ’Ό A.18.1.3 Protection of records13
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 5.25 Assessment and decision on information security events13
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό DE.AE-1: A baseline of network operations and expected data flows for users and systems is established and managed1014
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό DE.AE-2: Detected events are analyzed to understand attack targets and methods1823
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό DE.AE-3: Event data are collected and correlated from multiple sources and sensors1837
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό DE.AE-4: Impact of events is determined1313
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό DE.CM-1: The network is monitored to detect potential cybersecurity events1841
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό DE.CM-3: Personnel activity is monitored to detect potential cybersecurity events2026
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό DE.CM-5: Unauthorized mobile code is detected1111
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό DE.CM-6: External service provider activity is monitored to detect potential cybersecurity events66
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό DE.CM-7: Monitoring for unauthorized personnel, connections, devices, and software is performed1823
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό DE.DP-2: Detection activities comply with all applicable requirements66
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό DE.DP-3: Detection processes are tested1313
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό DE.DP-4: Event detection information is communicated2932
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό DE.DP-5: Detection processes are continuously improved1315
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό ID.GV-3: Legal and regulatory requirements regarding cybersecurity, including privacy and civil liberties obligations, are understood and managed13
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό ID.RA-1: Asset vulnerabilities are identified and documented1315
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.IP-4: Backups of information are conducted, maintained, and tested47
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.IP-8: Effectiveness of protection technologies is shared66
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.PT-1: Audit/log records are determined, documented, implemented, and reviewed in accordance with policy1632
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό RS.AN-1: Notifications from detection systems are investigated1823
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.AE-02: Potentially adverse events are analyzed to better understand associated activities31
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.AE-03: Information is correlated from multiple sources46
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.AE-04: The estimated impact and scope of adverse events are understood13
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.AE-06: Information on adverse events is provided to authorized staff and tools32
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.AE-07: Cyber threat intelligence and other contextual information are integrated into the analysis37
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-01: Networks and network services are monitored to find potentially adverse events115
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-03: Personnel activity and technology usage are monitored to find potentially adverse events81
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-06: External service provider activities and services are monitored to find potentially adverse events31
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events134
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό GV.OC-03: Legal, regulatory, and contractual requirements regarding cybersecurity - including privacy and civil liberties obligations - are understood and managed6
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.AM-03: Representations of the organization's authorized network communication and internal and external network data flows are maintained45
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.IM-01: Improvements are identified from evaluations20
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.IM-02: Improvements are identified from security tests and exercises, including those done in coordination with suppliers and relevant third parties33
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.IM-03: Improvements are identified from execution of operational processes, procedures, and activities34
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.RA-01: Vulnerabilities in assets are identified, validated, and recorded26
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected114
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected94
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected108
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-11: Backups of data are created, protected, maintained, and tested9
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό RS.MA-02: Incident reports are triaged and validated24
πŸ’Ό NIST SP 800-53 Revision 4 β†’ πŸ’Ό AU-10 NON-REPUDIATION511
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AU-6(1) Audit Record Review, Analysis, and Reporting _ Automated Process Integration11
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AU-7(1) Audit Record Reduction and Report Generation _ Automatic Processing11
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AU-9 Protection of Audit Information724
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SI-4 System Monitoring2518
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SI-7(1) Software, Firmware, and Information Integrity _ Integrity Checks1
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SI-7(3) Software, Firmware, and Information Integrity _ Centrally Managed Integrity Tools1
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SI-7(7) Software, Firmware, and Information Integrity _ Integration of Detection and Response1
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 10.5 Secure audit trails so they cannot be altered.515
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 10.5.2 Protect audit trail files from unauthorized modifications.14
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 10.5.5 Use file-integrity monitoring or change-detection software on logs to ensure that existing log data cannot be changed without generating alerts.12
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 10.3.2 Audit log files are protected to prevent modifications by individuals.4
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 10.3.4 File integrity monitoring or change-detection mechanisms is used on audit logs to ensure that existing log data cannot be changed without generating alerts.2
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 10.3.2 Audit log files are protected to prevent modifications by individuals.24
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 10.3.4 File integrity monitoring or change-detection mechanisms is used on audit logs to ensure that existing log data cannot be changed without generating alerts.22
πŸ’Ό SOC 2 β†’ πŸ’Ό CC4.2-3 Monitors Corrective Action66
πŸ’Ό SOC 2 β†’ πŸ’Ό CC5.2-3 Establishes Relevant Security Management Process Controls Activities1535
πŸ’Ό SOC 2 β†’ πŸ’Ό CC7.1-2 Monitors Infrastructure and Software811