Ensure CloudTrail log file validation is enabled

Logging and monitoring

Ensure CloudTrail log file validation is enabled

Risk Level

Informational (4)

Platform(s)

Compliance Frameworks

AWS CIS
AWS Foundational Security Best Practices Controls
CCM-CSA
CCPA
cis_8
CSA CCM
FedRAMP
GDPR
HIPAA
HITRUST
ISO 27701
NIST 800-53
NIST-CSF
Orca Best Practices
SOC 2

Description

CloudTrail log file validation creates a digitally signed digest file containing a hash of each log that CloudTrail writes to S3. These digest files can be used to determine whether a log file was changed, deleted, or unchanged after CloudTrail delivered the log. It is recommended that file validation be enabled on all CloudTrails.

Recommended Mitigation

Turn on log file verification for {AwsCloudTrail}

Ensure CloudTrail log file validation is enabled

Description

Need help?