This rule ensures that CloudTrail trail log file validation is enabled for improved system and information integrity.
Rule | CloudTrail trail log file validation should be enabled |
Framework | FedRAMP Moderate Revision 4 |
Severity | ✔ Critical |
CloudTrail Trail Log File Validation for FedRAMP Moderate Revision 4
Overview of Rule
CloudTrail log file validation is a feature in AWS CloudTrail that creates a digitally signed digest file containing a hash of each log that CloudTrail writes to your S3 bucket. Enabling log file validation assists in demonstrating the integrity of your log files and ensuring that they haven't been tampered with. For organizations that need to comply with FedRAMP Moderate Revision 4, having CloudTrail log file validation enabled is essential for meeting audit and accountability controls.
Troubleshooting Steps
If you encounter issues with CloudTrail log file validation not working as expected, follow these steps:
Verify CloudTrail is Configured Correctly
Ensure that AWS CloudTrail is set up and that it's logging API calls in your AWS account.
Check Log File Validation Status
Use the AWS Management Console or AWS CLI commands to check whether log file validation is enabled for your trails.
Trail Configuration Errors
If you find a trail without log file validation, ensure that no errors are present in the trail's configuration which might be preventing the feature from being enabled.
Permissions Issues
Ensure that the IAM role or user has the necessary permissions to configure CloudTrail and enable log file validation.
Necessary CLI Commands
Check CloudTrail Log File Validation Status
aws cloudtrail describe-trails --query 'trailList[*].{Name:Name,LogFileValidationEnabled:LogFileValidationEnabled}'
Enable Log File Validation
If log file validation is not enabled, use the following command to enable it:
aws cloudtrail update-trail --name YourTrailName --enable-log-file-validation
Validate Log Files
After enabling log file validation, verify the integrity of the log files using:
aws cloudtrail validate-logs --trail-arn YourTrailArn --start-time YYYY-MM-DDTHH:MM:SSZ
Replace
YourTrailName
, YourTrailArn
, and the start-time
with the appropriate values for your trail and the time you want to start validation from.Step-by-Step Guide for Remediation
Check Log File Validation Status: Determine if log file validation is already enabled using the CLI command provided above.
Enable Log File Validation: If it's not enabled, turn on log file validation using the
update-trail
command.Verify Configuration: After enabling, verify the configuration changes using the
describe-trails
command.Perform Log File Validation: Use
validate-logs
to check the integrity of your logs.Continuous Monitoring: Implement monitoring to alert you if log file validation is ever disabled, using AWS CloudWatch or similar tools.
Documentation: Document the steps taken for enabling log file validation and the output of the log file validation process for audit purposes.
It’s crucial to ensure that all trails, especially those that monitor compliance-related and system-level actions, have log file validation enabled to maintain the integrity of your logs. This practice aligns with the audit and accountability controls required by FedRAMP. Remember to periodically validate the log files and to keep the validation enabled to meet continuous monitoring requirements.
By following these precise instructions and ensuring that all steps are documented and reviewed regularly, you can help maintain a strong security posture within your cloud environment and comply with FedRAMP Moderate Revision 4 standards.