Need

Improved data authenticity validation for CloudTrail Logs

Context

• Usage of CloudFormation for Infrastructure as Code (IaC)
• Usage of AWS CloudTrail for logging and monitoring AWS API activity
• Usage of AWS S3 Bucket for storing and retrieving files

Description

Non compliant code

        Resources:
  Trail:
    Type: AWS::CloudTrail::Trail
    Properties:
      TrailName: example
      S3BucketName: !Ref LogBucket
      S3KeyPrefix: prefix
      IncludeGlobalServiceEvents: true
        
        

The above CloudFormation code creates a CloudTrail trail that sends logs to an S3 bucket. However, it does not enable log file integrity validation.

Without this attribute, there is no guarantee that the log files have not been tampered with. An attacker could manipulate logs without triggering detection, compromising the authenticity and trustworthiness of audit data.

Steps

• Add the `EnableLogFileValidation` property to the CloudTrail resource.
• Set its value to `true` to enforce integrity checks on CloudTrail logs.
• Redeploy the CloudFormation stack with the updated configuration.

Compliant code

        Resources:
  Trail:
    Type: AWS::CloudTrail::Trail
    Properties:
      TrailName: example
      S3BucketName: !Ref LogBucket
      S3KeyPrefix: prefix
      IncludeGlobalServiceEvents: true
      EnableLogFileValidation: true
        
        

This updated CloudFormation code enables log file integrity validation using the EnableLogFileValidation attribute.

When enabled, CloudTrail generates hash digests for log files and signs them with a private key. AWS validates these digests on retrieval to ensure logs have not been modified, helping preserve the authenticity of audit trails.

References

• 394. Insufficient data authenticity validation - Cloudtrail Logs