CloudTrail trails should have log file validation enabled
Without log file validation, an attacker who gains access to your S3 bucket can silently alter or delete CloudTrail logs to cover their tracks. You would have no cryptographic proof that what you see in the bucket matches what CloudTrail actually recorded. Digest files give you that proof.
Enabling validation costs nothing and adds no operational overhead. The digest files are small, stored alongside your logs, and verifiable with aws cloudtrail validate-logs. If you ever need to prove log integrity during an incident investigation or audit, this is the only mechanism AWS provides.
Implementation
Choose the approach that matches how you manage Terraform.
Use AWS provider resources directly. See docs for the resources involved: aws_cloudtrail.
resource "aws_cloudtrail" "this" {
advanced_event_selector {
field_selector {
equals = ["Data"]
field = "eventCategory"
}
field_selector {
equals = ["AWS::S3::Object"]
field = "resources.type"
}
name = "Log all S3 data events"
}
cloud_watch_logs_group_arn = local.cloudtrail_log_group_arn
cloud_watch_logs_role_arn = "arn:aws:iam::123456789012:role/example-role"
name = "pofix-abc123"
s3_bucket_name = "example-bucket-abc123"
enable_log_file_validation = true
}
What this control checks
This control checks that enable_log_file_validation is set to true on the aws_cloudtrail resource. The argument defaults to false when omitted, so any trail defined without it will fail. To pass, set enable_log_file_validation = true explicitly on every aws_cloudtrail resource. No additional dependencies exist; it is a single boolean on the trail.
Common pitfalls
Default is false when argument is omitted
enable_log_file_validationdefaults tofalsewhen omitted from anaws_cloudtrailresource. Unlike some security arguments that default safe, this one requires explicit opt-in. Every trail defined without it will fail the control, with no warning from Terraform at plan or apply time.Digest bucket permissions can break validation
Digest files land in the same S3 bucket as your logs. If the bucket policy denies CloudTrail write access to the digest prefix, or an S3 lifecycle rule deletes digest files before you run validation,
aws cloudtrail validate-logswill report failures even thoughenable_log_file_validationistrueon the trail. Enabled on the resource does not mean the files are actually arriving.Organization trails may not appear in member accounts
With an organization trail (
is_organization_trail = true), the trail resource only exists in the management account. Scanning member accounts foraws_cloudtrailresources will return nothing, and the control may report no trails to evaluate rather than a failure. Make sure your compliance scanning covers the management account.Multiple trails require individual enablement
Set
enable_log_file_validation = trueon eachaws_cloudtrailresource separately. If you have region-specific trails alongside a multi-region trail, each one needs its own explicit configuration. One compliant trail does nothing for the others.
Audit evidence
An auditor will look for AWS Config rule evaluation results from the managed rule cloud-trail-log-file-validation-enabled, confirming all trails show as COMPLIANT. Console screenshots showing the "Log file validation" field set to "Enabled" on the trail details page are also accepted.
For stronger evidence, provide output from aws cloudtrail describe-trails showing "LogFileValidationEnabled": true for each trail, along with a sample run of aws cloudtrail validate-logs showing that digest files exist and integrity checks pass for a recent time window.
Framework-specific interpretation
SOC 2: CC7.2 and CC7.3 examine whether the organization maintains reliable, tamper-evident audit trails. Log integrity verification is what SOC 2 auditors check when they want evidence that security events are accurately recorded and unaltered.
PCI DSS v4.0: Requirement 10 prohibits unauthorized modification of audit logs. CloudTrail digest files use SHA-256 hashing and RSA signing to give you a cryptographic integrity mechanism that directly addresses this.
HIPAA Omnibus Rule 2013: The Security Rule requires safeguards against improper alteration or destruction of records related to ePHI access. Digest files provide cryptographic proof that CloudTrail logs covering those systems have not been modified since delivery, directly supporting the integrity requirements at 45 CFR 164.312(b).
GDPR: Article 5(1)(f) requires appropriate technical measures protecting personal data against unauthorized processing. Validated CloudTrail logs are how you demonstrate that access records for systems handling personal data are complete and unaltered.
NIST SP 800-53 Rev 5: AU-9 (Protection of Audit Information) and SI-7 (Software, Firmware, and Information Integrity) both apply. Digest files give you cryptographic detection of unauthorized changes to audit records, which is exactly what both controls call for.
NIST Cybersecurity Framework v2.0: If logs can be silently altered, your DE.CM monitoring and DE.AE analysis are only as reliable as the attacker allows. Validated log files ensure that anomaly detection and incident analysis work from trustworthy data.
FedRAMP Moderate Baseline Rev 4: At the Moderate baseline, AU-9 calls for mechanisms that detect unauthorized changes to audit records. Log file validation covers this without requiring any additional tooling.
Tool mappings
Use these identifiers to cross-reference this control across tools, reports, and evidence.
Compliance.tf Control:
cloudtrail_trail_validation_enabledAWS Config Managed Rule:
CLOUD_TRAIL_LOG_FILE_VALIDATION_ENABLEDCheckov Check:
CKV_AWS_36Powerpipe Control:
aws_compliance.control.cloudtrail_trail_validation_enabledProwler Check:
cloudtrail_log_file_validation_enabledAWS Security Hub Control:
CloudTrail.4KICS Query:
52ffcfa6-6c70-4ea6-8376-d828d3961669Trivy Check:
AWS-0016
Last reviewed: 2026-03-09