CIS AWS 3.2
Ensure CloudTrail log file validation is enabled

Hey there! Let's chat about a super important AWS security setting called CloudTrail log file validation. This handy feature adds an extra layer of protection to your CloudTrail logs by digitally signing them. That way, you can easily tell if anyone has messed with your logs after they were created. Definitely a best practice to enable this one!

Where did this come from?

This recommendation comes straight from the "CIS Amazon Web Services Foundations Benchmark v3.0.0 - 01-31-2024". You can download the full benchmark document from the CIS website at https://downloads.cisecurity.org/#/. The benchmark provides a whole slew of AWS security best practices to help keep your cloud environment safe and sound. For more details on CloudTrail log file validation specifically, check out the AWS docs at https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-log-file-validation-enabling.html.

Who should care?

This one is a must-know for:

  • Cloud Security Engineers responsible for securing AWS environments
  • DevOps Engineers deploying and managing AWS infrastructure
  • Compliance Officers ensuring adherence to security standards
  • IT Auditors reviewing AWS configurations for potential risks

What is the risk?

Without log file validation enabled, it's possible for a sneaky attacker to modify or delete your CloudTrail logs without you knowing. They could potentially cover their tracks after doing something malicious in your AWS environment. Yikes! Enabling log file validation helps mitigate this risk by allowing you to verify the integrity of your logs. You'll be able to detect any unexpected changes and investigate further.

What's the care factor?

I'd rate the care factor for this one as pretty high, especially if you're subject to compliance standards like PCI DSS or HIPAA that require audit logging. Even if you're not under compliance pressures, log file integrity is still crucial for security investigations and incident response. You definitely want to be able to trust your logs! Enabling this feature is a relatively low effort task, so there's no reason not to do it.

When is it relevant?

CloudTrail log file validation should basically be enabled all the time. I can't really think of a situation where you wouldn't want this extra protection. The only potential exception might be if you have a non-critical test/dev environment that doesn't contain any sensitive data. But even then, it's a good habit to enable security best practices consistently across all environments.

What are the trade offs?

Thankfully, there isn't much downside to enabling CloudTrail log file validation. It doesn't cost any extra money and has minimal performance impact. The only potential "cost" is a tiny bit of extra time and effort to set it up. But we're talking a couple minutes max. Well worth the security benefits in my opinion!

How to make it happen?

Alrighty, let's get this puppy enabled! Here's how to do it:

Via the AWS Console:

  1. Sign into the AWS Management Console and open the CloudTrail service page.
  2. Click on "Trails" in the left side menu.
  3. Click on the name of the trail you want to enable log file validation for.
  4. Under the "General details" section, click the "Edit" button.
  5. Scroll down to the "Additional settings" section.
  6. Click the checkbox next to "Enable log file validation".
  7. Click "Save" at the bottom of the page.

Via the AWS CLI:

  1. Open a terminal window and make sure you've got the AWS CLI installed and configured with your access keys.
  2. Run this command to enable log file validation on your trail:

Replace <trail_name> with the actual name of your CloudTrail trail.

That's it! You can verify log file validation is enabled by running:

Look for the LogFileValidationEnabled parameter and make sure it's set to true.

What are some gotchas?

There isn't too much that can go wrong with enabling log file validation. The main thing is just making sure you have the necessary permissions to update the CloudTrail configuration. You'll need permissions for the cloudtrail:UpdateTrail and cloudtrail:DescribeTrails actions. If you're running the AWS CLI commands, make sure you've got your access keys set up correctly too.

It's also important to note that enabling log file validation is a separate step from enabling CloudTrail itself. So make sure you've got your CloudTrail trail setup and logging correctly before worrying about log file validation. Check out the AWS docs for more info: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-create-and-update-a-trail.html

What are the alternatives?

There aren't any direct alternatives to CloudTrail's native log file validation feature. It's really the best way to verify the integrity of your CloudTrail logs within AWS.

That said, if you're looking for even stronger security assurances, you could enable S3 Object Lock on the S3 bucket that stores your CloudTrail logs. This prevents any modifications or deletes to the log files, even from users with S3 admin permissions. Just keep in mind it requires a bit more setup and management overhead. More details here: https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lock.html

Explore Further

For more details on securing your CloudTrail configuration, check out the related benchmark recommendations:

  • 3.1 Ensure CloudTrail is enabled in all regions
  • 3.3 Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible
  • 3.4 Ensure CloudTrail trails are integrated with CloudWatch Logs
  • 3.5 Ensure AWS Config is enabled in all regions
  • 3.6 Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket
  • 3.7 Ensure CloudTrail logs are encrypted at rest using KMS keys

These are all part of the CIS Controls v8 around "Audit Log Management". See controls 8.1, 8.2, 8.3, 8.9, and 8.10 for more info.

Happy trails! ??

?

Blog

Learn cloud security with our research blog