Vulnerabilities
Misconfiguration
Runtime Security
Compliance
AWS > Cloudtrail > Enable Log Validation
HIGH
Source
Trivy/CSPM
CSPM ID
cloudtrail-file-validation
ID
AVD-AWS-0016
cloudformation management_console terraform

Cloudtrail log validation should be enabled to prevent tampering of log data

Log validation should be activated on Cloudtrail logs to prevent the tampering of the underlying data in the S3 bucket. It is feasible that a rogue actor compromising an AWS account might want to modify the log data to remove trace of their actions.

Impact

Illicit activity could be removed from the logs

Follow the appropriate remediation steps below to resolve the issue.

Turn on log validation for Cloudtrail

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13

---
AWSTemplateFormatVersion: "2010-09-09"
Description: A sample template
Resources:
  BadExample:
    Type: AWS::CloudTrail::Trail
    Properties:
      IsLogging: true
      IsMultiRegionTrail: true
      EnableLogFileValidation: true
      S3BucketName: "CloudtrailBucket"
      S3KeyPrefix: "/trailing"
      TrailName: "Cloudtrail"
  1. Log into the AWS Management Console.
  2. Select the “Services” option and search for “CloudTrail”.Step
  3. In the “Dashboard” panel click on “View trails” button.Step
  4. Select the “trail” that needs to be verified under “Name” column.Step
  5. Scroll down and under the “Storage location” option check for “Enable log file validation”. If its status is “No” the selected trail does not support file validation.Step
  6. Click on the pencil icon to get into “Storage location” configuration settings. Scroll down and click on “Yes” next to “Enable log file validation” to enable the “CloudTrail” file validation to determine whether a log file was modified, deleted or unchanged after “CloudTrail” delivered it. Step
  7. Scroll down and click on “Save” to enable the CloudTrail log encryption.Step

Turn on log validation for Cloudtrail

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14

resource "aws_cloudtrail" "good_example" {
  is_multi_region_trail = true
  enable_log_file_validation = true
  
  event_selector {
    read_write_type           = "All"
    include_management_events = true
    
    data_resource {
      type = "AWS::S3::Object"
      values = ["${data.aws_s3_bucket.important-bucket.arn}/"]
    }
  }
}
Aqua SaaS Plans
The fastest track to get started with Aqua
Start Now
Aqua Security is the largest pure-play cloud native security company, providing customers the freedom to innovate and run their businesses with minimal friction. The Aqua Cloud Native Security Platform provides prevention, detection, and response automation across the entire application lifecycle to secure the build, secure cloud infrastructure and secure running workloads wherever they are deployed.
Copyright © 2022 Aqua Security Software Ltd.   Privacy Policy | Terms of Use