standard
turbot/aws_cis

Pipeline: 3.2 Ensure CloudTrail log file validation is enabled

Description

CloudTrail log file validation creates a digitally signed digest file containing a hash of each log that CloudTrail writes to S3. These digest files can be used to determine whether a log file was changed, deleted, or unchanged after CloudTrail delivered the log. It is recommended that file validation be enabled on all CloudTrails.

Enabling log file validation will provide additional integrity checking of CloudTrail logs.

Remediation

Perform the following to enable log file validation on a given trail:

From Console:

  1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/cloudtrail.
  2. Click on Trails on the left navigation pane.
  3. Click on target trail.
  4. With in the General details section click edit.
  5. Under the Advanced settings section.
  6. Check the enable box under Log file validation.
  7. Click Save changes.

From Command Line:

aws cloudtrail update-trail --name <trail_name> --enable-log-file-validation

Note that periodic validation of logs using these digests can be performed by running the following command:

aws cloudtrail validate-logs --trail-arn <trail_arn> --start-time <start_time> --end-time <end_time>

Run the pipeline

To run this pipeline from your terminal:

flowpipe pipeline run aws_cis.pipeline.cis_v300_3_2

Use this pipeline

To call this pipeline from your pipeline, use a step:

step "pipeline" "step_name" {
pipeline = aws_cis.pipeline.cis_v300_3_2
}

Params

NameTypeRequiredDescriptionDefault
database
connection.steampipe
YesDatabase connection string.connection.steampipe.default
notifier
notifier
YesThe name of the notifier to use for sending notification messages.notifier.default
notification_level
string
YesThe verbosity level of notification messages to send. Valid options are 'verbose', 'info', 'error'.info
approvers
list(notifier)
YesList of notifiers to be used for obtaining action/approval decisions.notifier.default

Outputs

This pipeline has no outputs.

Tags

folder = CIS v3.0.0/3 Logging