AWS CloudTrail log validation is not enabled in all regions
Description
CloudTrail log file validation creates a digitally signed digest file containing a hash of each log that CloudTrail writes to S3. These digest files can be used to determine whether a log file was changed, deleted, or unchanged after CloudTrail delivered the log. It is recommended that file validation be enabled on all CloudTrails. We recommend enabling log file validation to provide additional integrity checking of CloudTrail logs.
Code Example
----
{
"resource "aws_cloudtrail" "trail_1" {
...
name = "terraform.env-trail-01"
+ enable_log_file_validation = true
}
",
}Remediation
- AWS Console*
To enable log file validation on a given trail, follow these steps:
. Log in to the AWS Management Console at https://console.aws.amazon.com/.
. Open the https://console.aws.amazon.com/iam/ [IAM console].
. On the left navigation pane, click * Trails*.
. Select the target trail.
. Navigate to the * S3* section, click the edit icon (pencil).
. Click * Advanced*.
. In the * Enable log file validation* section, select * Yes*.
. Click * Save*.
- CLI Command*
To enable log file validation on an AWS CloudTrail, use the following command: [,bash]
aws cloudtrail update-trail --name & lt;trail_name> --enable-log-file-validation
To start periodic validation of logs using these digests, use the following command: [,bash]
aws cloudtrail validate-logs --trail-arn & lt;trail_arn> --start-time & lt;start_time> --end-time & lt;end_time>
=== Fix - Buildtime
Terraform
- Resource: aws_cloudtrail
- Arguments: enable_log_file_validation - (Optional) Specifies whether log file integrity validation is enabled. Defaults to false.
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0090 |
| Severity | LOW |
| IaC Type | Cloudformation |
| Frameworks | CloudFormation, Terraform, TerraformPlan, Serverless |
| Checkov ID | CKV_AWS_36 |