Logging and monitoring

Ensure CloudTrail log file validation is enabled

Platform(s)
Compliance Frameworks

AWS CIS, AWS Foundational Security Best Practices Controls, Brazilian General Data Protection (LGPD), CCM-CSA, CCPA, cis_8, CPRA, CSA CCM, Data Security Posture Management (DSPM) Best Practices, essential_8_au, GDPR, hdh, HITRUST, ISO 27701, iso_27001_2022, iso_27002_2022, Mitre ATT&CK, New Zealand Information Security Manual, NIST 800-171, NIST 800-53, Orca Best Practices, PDPA, UK Cyber Essentials

Description

CloudTrail log file validation creates a digitally signed digest file containing a hash of each log that CloudTrail writes to S3. These digest files can be used to determine whether a log file was changed, deleted, or unchanged after CloudTrail delivered the log. It is recommended that file validation be enabled on all CloudTrails.