Ensure CloudTrail Log File Validation Rule
This rule ensures enabling CloudTrail log file validation.
| Rule | Ensure CloudTrail log file validation is enabled. |
| Framework | cis_v130 |
| Severity | ✔ Medium |
Ensure CloudTrail Log File Validation is Enabled (CIS Benchmark v1.3.0)
Rule Description
AWS CloudTrail is an AWS service that helps you enable governance, compliance, and operational and risk auditing of your AWS account. Log file validation is a feature in CloudTrail that allows you to automatically verify the integrity of the log files delivered to your Amazon S3 bucket. With log file validation enabled, you can be alerted to any unauthorized tampering of your log files, which increases the overall security and reliability of your logging data.
Troubleshooting Steps
If log file validation is not enabled for a CloudTrail, perform the following troubleshooting steps:
- 1.
Check CloudTrail Settings:
- Access the AWS Management Console.
- Navigate to the CloudTrail dashboard.
- Select the trail you want to verify.
- Look for the configuration called 'File log validation' and make sure it is set to 'Yes'.
- 2.
Verify with AWS CLI:
- Use the AWS CLI to describe the trails and check if log file validation is enabled using the following command:
aws cloudtrail describe-trails --query 'trailList[*].{Name:Name,LogFileValidationEnabled:LogFileValidationEnabled}' - Look for the property
and check if it is set toLogFileValidationEnabled
.true
Remediation Steps
Here is how you can ensure log file validation is enabled using both the AWS Management Console and AWS CLI:
Using AWS Management Console
- 1.Sign in to the AWS Management Console.
- 2.Open the CloudTrail console at https://console.aws.amazon.com/cloudtrail.
- 3.Choose the trail you want to modify.
- 4.Under 'General details', click on 'Pen icon/Edit'.
- 5.Scroll down to the 'Advanced settings' section.
- 6.Find the 'Enable log file validation' option and check the box.
- 7.Click on 'Save'.
Using AWS CLI
- 1.
To enable logfile validation for an existing CloudTrail, use the following command:
aws cloudtrail update-trail --name <YourTrailName> --enable-log-file-validationReplace
with the name of your CloudTrail.<YourTrailName> - 2.
To create a new CloudTrail with log file validation enabled, use the following command:
aws cloudtrail create-trail --name <NewTrailName> --s3-bucket-name <YourS3Bucket> --is-multi-region-trail --enable-log-file-validationReplace
with the desired name for the trail, and<NewTrailName>
with the name of your Amazon S3 bucket.<YourS3Bucket>
Necessary Codes
AWS CLI commands required for enabling CloudTrail log file validation:
Check CloudTrail log file validation status:
aws cloudtrail describe-trails --query 'trailList[*].{Name:Name,LogFileValidationEnabled:LogFileValidationEnabled}'Enable log file validation for an existing CloudTrail:
aws cloudtrail update-trail --name <YourTrailName> --enable-log-file-validationCreate a new CloudTrail with log file validation enabled:
aws cloudtrail create-trail --name <NewTrailName> --s3-bucket-name <YourS3Bucket> --is-multi-region-trail --enable-log-file-validation
By following these steps and leveraging the AWS CLI commands provided, you can ensure that CloudTrail log file validation is enabled on your AWS account, thus adhering to the best practices for security and compliance as recommended by the CIS Benchmark v1.3.0.