Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Rule: CloudTrail Trail Log File Validation Should Be Enabled

This rule ensures that CloudTrail trail log file validation is enabled for improved system and information integrity.

RuleCloudTrail trail log file validation should be enabled
FrameworkFedRAMP Moderate Revision 4
Severity
Critical

CloudTrail Trail Log File Validation for FedRAMP Moderate Revision 4

Overview of Rule

CloudTrail log file validation is a feature in AWS CloudTrail that creates a digitally signed digest file containing a hash of each log that CloudTrail writes to your S3 bucket. Enabling log file validation assists in demonstrating the integrity of your log files and ensuring that they haven't been tampered with. For organizations that need to comply with FedRAMP Moderate Revision 4, having CloudTrail log file validation enabled is essential for meeting audit and accountability controls.

Troubleshooting Steps

If you encounter issues with CloudTrail log file validation not working as expected, follow these steps:

Verify CloudTrail is Configured Correctly

Ensure that AWS CloudTrail is set up and that it's logging API calls in your AWS account.

Check Log File Validation Status

Use the AWS Management Console or AWS CLI commands to check whether log file validation is enabled for your trails.

Trail Configuration Errors

If you find a trail without log file validation, ensure that no errors are present in the trail's configuration which might be preventing the feature from being enabled.

Permissions Issues

Ensure that the IAM role or user has the necessary permissions to configure CloudTrail and enable log file validation.

Necessary CLI Commands

Check CloudTrail Log File Validation Status

aws cloudtrail describe-trails --query 'trailList[*].{Name:Name,LogFileValidationEnabled:LogFileValidationEnabled}'

Enable Log File Validation

If log file validation is not enabled, use the following command to enable it:

aws cloudtrail update-trail --name YourTrailName --enable-log-file-validation

Validate Log Files

After enabling log file validation, verify the integrity of the log files using:

aws cloudtrail validate-logs --trail-arn YourTrailArn --start-time YYYY-MM-DDTHH:MM:SSZ

Replace

YourTrailName
,
YourTrailArn
, and the
start-time
with the appropriate values for your trail and the time you want to start validation from.

Step-by-Step Guide for Remediation

  1. 1.

    Check Log File Validation Status: Determine if log file validation is already enabled using the CLI command provided above.

  2. 2.

    Enable Log File Validation: If it's not enabled, turn on log file validation using the

    update-trail
    command.

  3. 3.

    Verify Configuration: After enabling, verify the configuration changes using the

    describe-trails
    command.

  4. 4.

    Perform Log File Validation: Use

    validate-logs
    to check the integrity of your logs.

  5. 5.

    Continuous Monitoring: Implement monitoring to alert you if log file validation is ever disabled, using AWS CloudWatch or similar tools.

  6. 6.

    Documentation: Document the steps taken for enabling log file validation and the output of the log file validation process for audit purposes.

It’s crucial to ensure that all trails, especially those that monitor compliance-related and system-level actions, have log file validation enabled to maintain the integrity of your logs. This practice aligns with the audit and accountability controls required by FedRAMP. Remember to periodically validate the log files and to keep the validation enabled to meet continuous monitoring requirements.

By following these precise instructions and ensuring that all steps are documented and reviewed regularly, you can help maintain a strong security posture within your cloud environment and comply with FedRAMP Moderate Revision 4 standards.

Is your System Free of Underlying Vulnerabilities?
Find Out Now