Control: 4 Ensure CloudTrail log file validation is enabled
This control checks whether log file integrity validation is enabled on a CloudTrail trail.
CloudTrail log file validation creates a digitally signed digest file that contains a hash of each log that CloudTrail writes to Amazon S3. You can use these digest files to determine whether a log file was changed, deleted, or unchanged after CloudTrail delivered the log.
Security Hub recommends that you enable file validation on all trails. Log file validation provides additional integrity checks of CloudTrail logs.
To remediate this issue, update your CloudTrail trail to enable log file validation.
To enable CloudTrail log file validation
- Open the CloudTrail console.
Name, choose the name of a trail to edit.
General details, choose
Additional settings, for Log file validation, choose
steampipe check aws_compliance.control.foundational_security_cloudtrail_4
This control uses a named query:cloudtrail_trail_validation_enabled