Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-terraform-aws-compliance
Overview
69Dashboards
357Benchmarks
357Queries
2Variables
GitHub

Control: CloudTrail trail log file validation should be enabled

Description

Utilize AWS CloudTrail log file validation to check the integrity of CloudTrail logs. Log file validation helps determine if a log file was modified or deleted or unchanged after CloudTrail delivered it. This feature is built using industry standard algorithms: SHA-256 for hashing and SHA-256 with RSA for digital signing. This makes it computationally infeasible to modify, delete or forge CloudTrail log files without detection.

Usage

Run the control in your terminal:

powerpipe control run terraform_aws_compliance.control.cloudtrail_trail_validation_enabled

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run terraform_aws_compliance.control.cloudtrail_trail_validation_enabled --share

SQL

This control uses a named query:

select
  address as resource,
  case
    when (attributes_std ->> 'enable_log_file_validation')::boolean then 'ok'
    else 'alarm'
  end status,
  split_part(address, '.', 2) || case
    when (attributes_std ->> 'enable_log_file_validation')::boolean then ' log file validation enabled'
    else ' log file validation disabled'
  end || '.' reason
  
  , path || ':' || start_line
from
  terraform_resource
where
  type = 'aws_cloudtrail';

Tags

aws_foundational_security = true
category = Compliance
cis = true
gdpr = true
hipaa = true
nist_800_53_rev_4 = true
pci = true
plugin = terraform
service = AWS/CloudTrail
soc_2 = true