This rule ensures enabling CloudTrail log file validation.
Rule | Ensure CloudTrail log file validation is enabled. |
Framework | cis_v130 |
Severity | ✔ Medium |
Ensure CloudTrail Log File Validation is Enabled (CIS Benchmark v1.3.0)
Rule Description
AWS CloudTrail is an AWS service that helps you enable governance, compliance, and operational and risk auditing of your AWS account. Log file validation is a feature in CloudTrail that allows you to automatically verify the integrity of the log files delivered to your Amazon S3 bucket. With log file validation enabled, you can be alerted to any unauthorized tampering of your log files, which increases the overall security and reliability of your logging data.
Troubleshooting Steps
If log file validation is not enabled for a CloudTrail, perform the following troubleshooting steps:
Check CloudTrail Settings:
Verify with AWS CLI:
aws cloudtrail describe-trails --query 'trailList[*].{Name:Name,LogFileValidationEnabled:LogFileValidationEnabled}'
LogFileValidationEnabled
and check if it is set to true
.Remediation Steps
Here is how you can ensure log file validation is enabled using both the AWS Management Console and AWS CLI:
Using AWS Management Console
Using AWS CLI
To enable logfile validation for an existing CloudTrail, use the following command:
aws cloudtrail update-trail --name <YourTrailName> --enable-log-file-validation
Replace
<YourTrailName>
with the name of your CloudTrail.To create a new CloudTrail with log file validation enabled, use the following command:
aws cloudtrail create-trail --name <NewTrailName> --s3-bucket-name <YourS3Bucket> --is-multi-region-trail --enable-log-file-validation
Replace
<NewTrailName>
with the desired name for the trail, and <YourS3Bucket>
with the name of your Amazon S3 bucket.Necessary Codes
AWS CLI commands required for enabling CloudTrail log file validation:
Check CloudTrail log file validation status:
aws cloudtrail describe-trails --query 'trailList[*].{Name:Name,LogFileValidationEnabled:LogFileValidationEnabled}'
Enable log file validation for an existing CloudTrail:
aws cloudtrail update-trail --name <YourTrailName> --enable-log-file-validation
Create a new CloudTrail with log file validation enabled:
aws cloudtrail create-trail --name <NewTrailName> --s3-bucket-name <YourS3Bucket> --is-multi-region-trail --enable-log-file-validation
By following these steps and leveraging the AWS CLI commands provided, you can ensure that CloudTrail log file validation is enabled on your AWS account, thus adhering to the best practices for security and compliance as recommended by the CIS Benchmark v1.3.0.