v1.0 for Steampipe, Powerpipe, Flowpipe, 116 plugins, and 44 mods →
Powerpipe Hub 
Hub
Mods
turbot/aws_compliance
Overview
32Dashboards
1295Controls
585Queries
4Variables
GitHub

Control: 4 Ensure CloudTrail log file validation is enabled

Description

This control checks whether log file integrity validation is enabled on a CloudTrail trail.

CloudTrail log file validation creates a digitally signed digest file that contains a hash of each log that CloudTrail writes to Amazon S3. You can use these digest files to determine whether a log file was changed, deleted, or unchanged after CloudTrail delivered the log.

Security Hub recommends that you enable file validation on all trails. Log file validation provides additional integrity checks of CloudTrail logs.

Remediation

To remediate this issue, update your CloudTrail trail to enable log file validation.

To enable CloudTrail log file validation

  1. Open the CloudTrail console.
  2. Choose Trails.
  3. Under Name, choose the name of a trail to edit.
  4. Under General details, choose Edit.
  5. Under Additional settings, for Log file validation, choose Enabled.
  6. Choose Save changes.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.foundational_security_cloudtrail_4

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.foundational_security_cloudtrail_4 --share

SQL

This control uses a named query:

cloudtrail_trail_validation_enabled

Tags

aws_foundational_security = true
category = Compliance
foundational_security_category = data_integrity
foundational_security_item_id = cloudtrail_4
plugin = aws
service = AWS/CloudTrail