CloudTrail log file validation is disabled

ID

aws_cloudtrail_log_file_validation

Severity

low

Vendor

AWS

Resource

Logging

Tags

non-reachable

Description

CloudTrail log file validation is disabled. Enabling log file validation will provide additional integrity checking of CloudTrail logs. CloudTrail will create a hash for every log file delivered and produce a signed digest file that can be used to ensure log files have not been tampered.

To fix it, you must configure enable_log_file_validation=true.

Learn more about this topic at AWS CloudTrail log file validation.

Examples

---
- name: Example playbook
  hosts: localhost
  tasks:
    - name: create
      amazon.aws.cloudtrail:
        state: present
        name: default
        s3_bucket_name: mylogbucket
        region: us-east-1
        is_multi_region_trail: true
        cloudwatch_logs_role_arn: "arn:aws:iam::123456789012:role/CloudTrail_CloudWatchLogs_Role"
        cloudwatch_logs_log_group_arn: "arn:aws:logs:us-east-1:123456789012:log-group:CloudTrail/DefaultLogGroup:*"
        kms_key_id: "alias/MyAliasName"
        tags:
          environment: dev
          Name: default

Mitigation / Fix

---
- name: Example playbook
  hosts: localhost
  tasks:
    - name: create
      amazon.aws.cloudtrail:
        state: present
        name: default
        s3_bucket_name: mylogbucket
        region: us-east-1
        is_multi_region_trail: true
        enable_log_file_validation: true
        cloudwatch_logs_role_arn: "arn:aws:iam::123456789012:role/CloudTrail_CloudWatchLogs_Role"
        cloudwatch_logs_log_group_arn: "arn:aws:logs:us-east-1:123456789012:log-group:CloudTrail/DefaultLogGroup:*"
        kms_key_id: "alias/MyAliasName"
        tags:
          environment: dev
          Name: default