AWS Config Rule: CloudTrail Log File Validation Enabled

CLOUD_TRAIL_LOG_FILE_VALIDATION_ENABLED

Fernando Honig

Last Update a year ago

Description: Checks whether AWS CloudTrail creates a signed digest file with logs. AWS recommends that the file validation must be enabled on all trails. The rule is noncompliant if the validation is not enabled.


Trigger type: Periodic


AWS Region: All supported AWS regions


How to Resolve Manually

To resolve this manually, a small simple setting will need enabling if it isn't already within the general settings of your CloudTrail trails.


To determine whether a log file was modified, deleted, or unchanged after AWS CloudTrail delivered it, use CloudTrail log file integrity validation. This feature is built using industry standard algorithms: SHA-256 for hashing and SHA-256 with RSA for digital signing.

For Log file validation, choose Enabled to have log digests delivered to your Amazon S3 bucket. You can use the digest files to verify that your log files did not change after CloudTrail delivered them.

How to Resolve with StackZone

By opting to resolve this Config Rule with StackZone, the remediation action will be able to automatically set this particular setting within your CloudTrail, to enabled.


To enable this in your StackZone configuration, head to Config Rules Regional  / CloudTrail Log File Validation Remediation and enable the remediation for this Config Rule


Want to know more about StackZone and how to make your cloud management simple and secure?

Check our how it works section with easy to follow videos or just create your own StackZone Account here

Was this article helpful?

1 out of 1 liked this article

Still need help? Message Us