AWS Config Rule: CloudTrail Log File Validation Enabled
CLOUD_TRAIL_LOG_FILE_VALIDATION_ENABLED
Fernando Honig
Last Update a year ago
Description: Checks whether AWS CloudTrail creates a signed digest file with logs. AWS recommends that the file validation must be enabled on all trails. The rule is noncompliant if the validation is not enabled.
Trigger type: Periodic
AWS Region: All supported AWS regions
How to Resolve Manually
To resolve this manually, a small simple setting will need enabling if it isn't already within the general settings of your CloudTrail trails.
To determine whether a log file was modified, deleted, or unchanged after AWS CloudTrail delivered it, use CloudTrail log file integrity validation. This feature is built using industry standard algorithms: SHA-256 for hashing and SHA-256 with RSA for digital signing.
For Log file validation, choose Enabled to have log digests delivered to your Amazon S3 bucket. You can use the digest files to verify that your log files did not change after CloudTrail delivered them.
How to Resolve with StackZone
By opting to resolve this Config Rule with StackZone, the remediation action will be able to automatically set this particular setting within your CloudTrail, to enabled.
To enable this in your StackZone configuration, head to Config Rules Regional / CloudTrail Log File Validation Remediation and enable the remediation for this Config Rule
Want to know more about StackZone and how to make your cloud management simple and secure?
Check our how it works section with easy to follow videos or just create your own StackZone Account here