AWS Cloudtrail

CloudTrail Log File Validation Disabled

This plugin makes sure that CloudTrail log file validation is turned on for all regions in a given account

Risk Level: LOW

Description:

This plugin makes sure that CloudTrail log file validation is turned on for all regions in a given account. In the event of an account compromise, CloudTrail file validation is essentially a hash of the file that can be used to confirm its integrity.


Recommended Action:  Enable CloudTrail file validation for all regions

About the Service :

AWS CloudTrail is an AWS service that allows you to manage your AWS account's governance, compliance, operational, and risk auditing. In CloudTrail, actions done by a user, role, or AWS service are recorded as events. Actions made in the AWS Management Console, AWS Command Line Interface, and AWS SDKs and APIs are all considered events.

Impact: 

When you enable this feature, you'll be able to check the integrity of your CloudTrail log files and see if they've been modified after being delivered to the selected S3 bucket - the intention is that the log files will stay the same.

Steps to reproduce :
  1. Sign in to your AWS management console.
  2. Navigate to the CloudTrail dashboard at: https://console.aws.amazon.com/cloudtrail/
  3. On the left panel, select Trails.
  4. Look for the trail you want to examine.
  5. Copy the name of the S3 bucket associated with it.
  6. Visit the S3 dashboard and search for the copied S3 bucket name.
  7. Click on it and visit the Enable log file validation.
  8. If its status is set to disable, then the selected trail does not have log file integrity validation enabled.
  9. Repeat steps no. 4-8 for other trails in the selected AWS region as well as in different regions.

Steps for remediation :

  1. Sign in to your AWS management console.
  2. Navigate to the CloudTrail dashboard at: https://console.aws.amazon.com/cloudtrail/
  3. On the left panel, select Trails.
  4. Look for the trail you want to examine.
  5. Copy the name of the S3 bucket associated with it.
  6. Visit the S3 dashboard and search for the copied S3 bucket name.
  7. Search for Enable log file validation and click on Edit.
  8. Select enable to Enable log file validation and click on Save changes.
  9. Repeat steps no. 4-8 for other trails in the selected AWS region as well as in different regions.

References: