Need

Improved data authenticity validation for Cloudtrail Logs

Context

• Usage of Terraform for Infrastructure as Code (IaC)
• Usage of AWS CloudTrail for logging and monitoring AWS API activity
• Usage of AWS S3 Bucket for storing and retrieving files

Description

Non compliant code

        resource "aws_cloudtrail" "example" {
  name                          = "example"
  s3_bucket_name                = aws_s3_bucket.example.bucket
  s3_key_prefix                 = "prefix"
  include_global_service_events = true
}
        
        

In the above Terraform code, a CloudTrail instance is being created. However, the EnableLogFileValidation attribute is not set. This attribute is used to enable log file integrity validation, which ensures that the log files have not been tampered with.

Without this attribute enabled, there is no way to guarantee the integrity of the log files. This could potentially allow an attacker to inject malicious information into the log files without raising any alerts, as there would be no mechanism in place to validate the authenticity of the data.

In this specific context, the vulnerability lies in the absence of the EnableLogFileValidation attribute in the aws_cloudtrail resource block. This absence means that the CloudTrail instance created by this code will not have log file validation enabled, making it vulnerable to the risks described above.

Steps

• Enable the EnableLogFileValidation attribute for the CloudTrail instance
• Set the EnableLogFileValidation attribute to true

Compliant code

        resource "aws_cloudtrail" "example" {
  name                          = "example"
  s3_bucket_name                = aws_s3_bucket.example.bucket
  s3_key_prefix                 = "prefix"
  include_global_service_events = true
  enable_log_file_validation    = true
}
        
        

The above code is a fixed version of the vulnerable code. The vulnerability was due to the lack of data authenticity validation in the CloudTrail logs. This was because the EnableLogFileValidation attribute was not enabled in the CloudTrail instance.

In the fixed code, the EnableLogFileValidation attribute is set to true. This means that the integrity validation will be performed on the CloudTrail logs. This will prevent an attacker from injecting malicious information into the log files without raising any alert.

The EnableLogFileValidation attribute is a security feature provided by AWS. When it is enabled, AWS CloudTrail will validate the integrity of the log files. This is done by generating a hash for each log file and storing the hash values in a separate digest file. The digest file is then signed with a private key to ensure its integrity. When the log files are retrieved, AWS CloudTrail will use the corresponding public key to verify the signature of the digest file. If the signature is valid, AWS CloudTrail will then compare the hash values in the digest file with the hash values of the retrieved log files. If the hash values match, it means that the log files have not been tampered with.

By enabling the EnableLogFileValidation attribute, you can ensure the integrity and authenticity of your CloudTrail logs, thereby enhancing the security of your AWS infrastructure.

References

• 394. Insufficient data authenticity validation - Cloudtrail Logs