Use the Conformity Knowledge Base AI to help improve your Cloud Posture

CloudTrail Log File Integrity Validation

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: CT-007

Ensure that your Amazon CloudTrail trails are configured with the log file integrity validation in order to analyze the log files and determine if these files were modified or deleted after Amazon CloudTrail delivered them to the designated S3 bucket.

This rule can help you with the following compliance standards:

  • CISAWSF
  • PCI
  • HIPAA
  • GDPR
  • APRA
  • MAS
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

Enabling log file integrity validation will allow you to check the integrity of your CloudTrail trail log files and determine if the log files were changed once delivered to the target S3 bucket (the expectation is that the log files should remain unchanged). The feature is built using industry standard algorithms: SHA-256 for hashing and SHA-256 with RSA for digital signing. This makes practically impossible to change log files without detection.

Note: This conformity rule will also explain how to validate your CloudTrail trail log files as an integrity validation task for a cloud security audit.


Audit

To determine if your Amazon CloudTrail trails are configured with the log file validation, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon CloudTrail console at https://console.aws.amazon.com/cloudtrail/.

03 In the navigation panel, under CloudTrail, choose Trails.

04 Click on the name (link) of the Amazon CloudTrail trail that you want to examine.

05 In the General details section, check the Log file validation attribute value. If the Log file validation value is set to Disabled, the log file integrity validation is not enabled for selected Amazon CloudTrail trail.

06 Repeat steps no. 4 and 5 for each Amazon CloudTrail trail created for your AWS cloud account.

Using AWS CLI

01 Run list-trails command (OSX/Linux/UNIX) with custom query filters to list the names of all the Amazon CloudTrail trails created for your AWS cloud account:

aws cloudtrail list-trails
  --region us-east-1
  --query 'Trails[*].Name'

02 The command output should return an array with the requested CloudTrail trail names:

[
    "cc-main-cloud-trail",
    "cc-project5-api-trail",
    "cc-data-events-trail"
]

03 Run describe-trails command (OSX/Linux/UNIX) using the name of the Amazon CloudTrail trail that you want to examine as the identifier parameter and custom query filters to determine if the selected trail is configured to support log file validation:

aws cloudtrail describe-trails
  --region us-east-1
  --trail-name-list cc-main-cloud-trail
  --query 'trailList[*].LogFileValidationEnabled'

04 The command output should return the log file validation status (true for enabled, false for disabled):

[
    false
]

If the describe-trails command output returns false, as shown in the example above, the log file integrity validation is not enabled for selected Amazon CloudTrail trail.

05 Repeat steps no. 3 and 4 for each Amazon CloudTrail trail created for your AWS cloud account.

Remediation / Resolution

To enable log file integrity validation for your existing Amazon CloudTrail trails, perform the following operations:

Using AWS CloudFormation

01 CloudFormation template (JSON):

{
    "AWSTemplateFormatVersion": "2010-09-09",
    "Description": "Enable Log File Validation",
    "Parameters": {
        "TrailName": {
            "Type": "String"
        },
        "BucketName": {
            "Type": "String"
        },
        "S3BucketKeyPrefix": {
            "Type": "String"
        }
    },
    "Resources": {
        "Trail": {
            "Type": "AWS::CloudTrail::Trail",
            "Properties": {
                "TrailName": {
                    "Ref": "TrailName"
                },
                "S3BucketName": {
                    "Ref": "BucketName"
                },
                "S3KeyPrefix": {
                    "Ref": "S3BucketKeyPrefix"
                },
                "IsLogging": true,
                "EnableLogFileValidation": true
            }
        }
    }
}

02 CloudFormation template (YAML):

AWSTemplateFormatVersion: '2010-09-09'
Description: Enable Log File Validation
Parameters:
  TrailName:
    Type: String
  BucketName:
    Type: String
  S3BucketKeyPrefix:
    Type: String
Resources:
  Trail:
    Type: AWS::CloudTrail::Trail
    Properties:
      TrailName: !Ref 'TrailName'
      S3BucketName: !Ref 'BucketName'
      S3KeyPrefix: !Ref 'S3BucketKeyPrefix'
      IsLogging: true
      EnableLogFileValidation: true

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf):

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 3.27"
    }
  }

  required_version = ">= 0.14.9"
}

provider "aws" {
  profile = "default"
  region  = "us-east-1"
}

data "aws_caller_identity" "current-account" {}

resource "aws_s3_bucket" "trail-s3-bucket" {

  bucket        = "cc-main-cloudtrail-bucket"
  force_destroy = true
  policy = <<POLICY
  {
      "Version": "2012-10-17",
      "Statement": [
          {
              "Sid": "AWSCloudTrailAclCheck",
              "Effect": "Allow",
              "Principal": {
                "Service": "cloudtrail.amazonaws.com"
              },
              "Action": "s3:GetBucketAcl",
              "Resource": "arn:aws:s3:::cc-main-cloudtrail-bucket"
          },
          {
              "Sid": "AWSCloudTrailWrite",
              "Effect": "Allow",
              "Principal": {
                "Service": "cloudtrail.amazonaws.com"
              },
              "Action": "s3:PutObject",
              "Resource": "arn:aws:s3:::cc-main-cloudtrail-bucket/cc-trail-logs/AWSLogs/${data.aws_caller_identity.current-account.account_id}/*",
              "Condition": {
                  "StringEquals": {
                      "s3:x-amz-acl": "bucket-owner-full-control"
                  }
              }
          }
      ]
  }
  POLICY

}

resource "aws_cloudtrail" "cloudtrail-trail" {

  name                          = "cc-main-cloud-trail"
  s3_bucket_name                = aws_s3_bucket.trail-s3-bucket.id
  s3_key_prefix                 = "cc-trail-logs"
  enable_logging                = true

  # Enable Log File Validation
  enable_log_file_validation    = true

}

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon CloudTrail console at https://console.aws.amazon.com/cloudtrail/.

03 In the navigation panel, under CloudTrail, choose Trails.

04 Click on the name (link) of the Amazon CloudTrail trail that you want to reconfigure.

05 In the General details section choose Edit to change the configuration settings available for the selected trail.

06 On the Edit trail configuration page, in the Additional settings section, select Enabled under Log file validation to enable the log file integrity validation for the selected trail. Choose Save changes to apply the changes.

07 Repeat steps no. 4 – 6 for each Amazon CloudTrail trail that you want to reconfigure, available within your AWS cloud account.

Using AWS CLI

01 Run update-trail command (OSX/Linux/UNIX) using the name of the Amazon CloudTrail trail that you want to reconfigure as the identifier parameter, to enable the log file integrity validation for the selected trail:

aws cloudtrail update-trail
  --region us-east-1
  --name cc-main-cloud-trail
  --enable-log-file-validation

02 The command output should return the metadata available for the reconfigured trail:

{
  "IncludeGlobalServiceEvents": true,
  "IsOrganizationTrail": false,
  "Name": "cc-main-cloud-trail",
  "TrailARN": "arn:aws:cloudtrail:us-east-1:123456789012:trail/cc-main-cloud-trail",
  "LogFileValidationEnabled": true,
  "IsMultiRegionTrail": true,
  "S3BucketName": "cc-main-cloudtrail-bucket"
}

03 Repeat steps no. 1 and 2 for each Amazon CloudTrail trail that you want to reconfigure, available in your AWS cloud account.

Optional: To validate your Amazon CloudTrail log files using AWS Command Line Interface (AWS CLI), perform the following operations:

Using AWS CLI

01 Run describe-trails command (OSX/Linux/UNIX) to describe the Amazon Resource Name (ARN) of the CloudTrail trail that you want to access:

aws cloudtrail describe-trails
  --region us-east-1
  --trail-name-list cc-main-cloud-trail
  --query 'trailList[*].TrailARN'

02 The command output should return the CloudTrail trail ARN:

[
    "arn:aws:cloudtrail:us-east-1:123456789012:trail/cc-main-cloud-trail"
]

03 Run validate-logs command (OSX/Linux/UNIX) using a time frame for the log files delivery to validate and detect any changes made for the specified CloudTrail trail log:

aws cloudtrail validate-logs
  --trail-arn arn:aws:cloudtrail:us-east-1:123456789012:trail/cc-main-cloud-trail
  --start-time 2016-04-13T00:00:00Z
  --end-time 2016-04-13T12:00:00Z

04 The Command Line Interface (CLI) allows you to detect any modification or deletion of CloudTrail log files and/or any modification or deletion of CloudTrail digest files. The command output should return the log files integrity status after validation:

If the files were not modified or deleted, the command output should like this:

Validating log files for trail arn:aws:cloudtrail:us-east-1:123456789012:trail/cc-main-cloud-trail between 2016-04-13T00:00:00Z and 2016-04-13T12:00:00Z

Results requested for 2016-04-13T00:00:00Z to 2016-04-13T12:00:00Z
Results found for 2016-04-13T05:55:11Z to 2016-04-13T07:55:11Z:

2/2 digest files valid
4/4 log files valid

If one or more files were modified, the command output should like this:

Log file s3://cc-main-cloudtrail-bucket/AWSLogs/123456789012/CloudTrail/us-east-1/2016/04/13/123456789012_CloudTrail_us-east-1_20160413T0850Z_abcdabcdabcdabcd.json.gz INVALID: hash value doesn't match

Results requested for 2016-04-13T00:00:00Z to 2016-04-13T12:00:00Z
Results found for 2016-04-13T05:55:11Z to 2016-04-13T07:55:11Z:

2/2 digest files valid
3/4 log files valid, 1/4 log files INVALID

If one or more files were deleted, the command output should like this:

Log file s3://cc-main-cloudtrail-bucket/AWSLogs/123456789012/CloudTrail/us-east-1/2016/04/13/123456789012_CloudTrail_us-east-1_20160413T0850Z_abcdabcdabcdabcd.json.gz INVALID: not found

Results requested for 2016-04-13T00:00:00Z to 2016-04-13T12:00:00Z
Results found for 2016-04-13T06:50:11Z to 2016-04-13T08:50:11Z:

2/2 digest files valid
3/4 log files valid, 1/4 log files INVALID

References

Publication date Apr 13, 2016