CloudTrail Trail Log File Validation Rule
This rule ensures CloudTrail trail log file validation is enabled for compliance.
| Rule | CloudTrail trail log file validation should be enabled |
| Framework | CISA-cyber-essentials |
| Severity | ✔ Critical |
CloudTrail Log File Validation
Rule Description
AWS CloudTrail is a service that provides a record of actions taken by a user, role, or AWS service in AWS environment. It is essential in ensuring that your AWS environment maintains a secure and compliant state as outlined in the CISA (Cybersecurity and Infrastructure Security Agency) Cyber Essentials.
Enabling log file validation in CloudTrail means that every log file written by CloudTrail will have a corresponding digital signature. This signature can be used to verify the integrity and authenticity of the log files, ensuring that they have not been tampered with after being delivered by CloudTrail.
This capability is paramount for security, as it assures that the activity records are kept intact and unchanged, providing a reliable tool for auditing, compliance, and forensic investigations.
Troubleshooting Steps
If you encounter issues when trying to enable log file validation for CloudTrail, follow these troubleshooting steps:
- 1.Verify IAM permissions: Make sure your IAM user has the necessary permissions (
) to configure CloudTrail settings.cloudtrail:UpdateTrail - 2.Check Trail Status: Ensure that the CloudTrail trail you want to update exists and is operational.
- 3.Region Consistency: Confirm that you are operating in the correct AWS region where the trail is located.
- 4.Use the correct CLI command or Console options: Double-check the AWS CLI command or make sure you are navigating the AWS Console correctly to enable log file validation.
Necessary Codes and CLI Commands
To enable log file validation for an existing trail using AWS CLI:
aws cloudtrail update-trail --name YourTrailName --enable-log-file-validation
Replace
YourTrailNameStep by Step Guide for Remediation
- 1.
Open the AWS CLI: Launch your command line tool that has AWS CLI installed and configured with the necessary access credentials.
- 2.
Enable Log File Validation: Use the
command with theupdate-trail
parameter to enable log file validation for your selected trail:--enable-log-file-validationaws cloudtrail update-trail --name YourTrailName --enable-log-file-validationUpon success, this command will output the configuration of the trail including the updated settings.
- 3.
Verify Changes: Verify if log file validation is enabled by describing the trails and checking the
flag:LogFileValidationEnabledaws cloudtrail describe-trails --trail-name-list YourTrailNameIn the output JSON, check for
to confirm it is enabled."LogFileValidationEnabled": true - 4.
Integrity Verification Check: After logs are delivered, you can verify the integrity of log files by using the
command, which can be installed separately as part of the CloudTrail Processing Library.validate-logsaws cloudtrail validate-logs --trail-arn YourTrailARN --start-time YYYY-MM-DDTHH:MM:SSZReplace
with the ARN of your trail and specify the start time for the period you want to validate.YourTrailARN
Conclusion
By ensuring CloudTrail log file validation is enabled, your AWS environment's security posture will be aligned with the CISA-cyber-essentials requirements, thus contributing to the overall integrity and trustworthiness of the logging mechanism. Ensure you periodically perform integrity checks on the logs and promptly investigate anomalies.