CloudTrail trail log file validation should be enabled¶
Utilize AWS CloudTrail log file validation to check the integrity of CloudTrail logs. Log file validation helps determine if a log file was modified or deleted or unchanged after CloudTrail delivered it. This feature is built using industry standard algorithms: SHA-256 for hashing and SHA-256 with RSA for digital signing. This makes it computationally infeasible to modify, delete or forge CloudTrail log files without detection.
How to fix¶
Attribute enable_log_file_validation of aws_cloudtrail must be true.
Implementation options¶
Choose the option that matches how you manage Terraform. All options satisfy this control.
Option 1: Terraform AWS provider resources¶
If you manage resources directly, configure the relevant Terraform AWS provider resources to meet this control. See docs for the resources involved: aws_cloudtrail.
resource "aws_cloudtrail" "this" {
advanced_event_selector {
field_selector {
equals = ["Data"]
field = "eventCategory"
}
field_selector {
equals = ["AWS::S3::Object"]
field = "resources.type"
}
name = "Log all S3 data events"
}
name = "pofix-example-trail"
s3_bucket_name = "example-bucket-abc123"
enable_log_file_validation = true
}
Which option should I choose?
- Compliance.tf module (recommended): controls enforced by default and mapped to frameworks.
- Open source module (
terraform-aws-modules): compatible by design with compliance.tf. Same variable names for an easy, low-change migration path when you are ready. - Terraform AWS provider resources: manage Terraform resources directly.
Tool mappings¶
Use these identifiers to cross-reference this control across tools, reports, and evidence.
Compliance.tf (CTF) Control:
cloudtrail_trail_validation_enabledAWS Config Managed Rule:
CLOUD_TRAIL_LOG_FILE_VALIDATION_ENABLEDCheckov Check:
CKV_AWS_36Powerpipe Controls:
aws_compliance.control.cis_v500_3_2,aws_compliance.control.cis_v600_4_2,aws_compliance.control.cloudtrail_trail_validation_enabled