CloudTrail log validation

AWS-CT-002 is an AWS security check performed by cloud-audit, an open-source AWS security scanner. Checks if CloudTrail trails have log file integrity validation enabled.

Why it matters

Without log file integrity validation, an attacker who compromises your account can modify or delete CloudTrail logs to erase evidence of their actions - a technique documented in MITRE ATT&CK as T1565.001 (Stored Data Manipulation). CloudTrail log validation creates SHA-256 digest files every hour that can cryptographically prove whether any log file has been modified, deleted, or remains unchanged since delivery. The 2023 SCARLETEEL attack specifically targeted CloudTrail logs for deletion to hide cryptocurrency mining activity. Enabling log validation is a single API call with no performance impact and is required by CIS AWS Benchmark 3.2, PCI-DSS Requirement 10.5, and SOC 2 CC7.2.

Common causes

Log validation is missed because the default CloudTrail creation in the console has it unchecked, and CLI or Terraform configurations must explicitly set enable_log_file_validation to true. Teams that set up CloudTrail years ago may have created trails before log validation was available and never updated the configuration. Some engineers are unaware this feature exists because it is a single checkbox buried in the trail settings.

Detection

Run cloud-audit to detect this issue:

pip install cloud-audit
cloud-audit scan -R

The -R flag includes remediation details for every finding, including this one.

Remediation: AWS CLI

aws cloudtrail update-trail --name TRAIL_NAME --enable-log-file-validation

Remediation: Terraform

resource "aws_cloudtrail" "main" {
  enable_log_file_validation = true
}

Compliance mapping

This check maps to CIS 3.2 in the CIS AWS Foundations Benchmark. The CIS Benchmark provides prescriptive guidance for configuring security options for a subset of AWS services.