Back to All Checks
Low CloudTrail Regional

CloudTrail log file validation should be enabled

PCI DSSCISNISTISO 27001

Description

This control checks whether log file integrity validation is enabled on a CloudTrail trail.

Remediation

To comply with this control, log file validation must be enabled for all CloudTrail trails. This feature validates the integrity of CloudTrail log files and ensures that they have not been tampered with after delivery.

Steps

  1. Sign in to the AWS Management Console and open the CloudTrail console at https://console.aws.amazon.com/cloudtrail/.
  2. In the CloudTrail console, click on 'Trails' in the left navigation pane.
  3. Select the trail you want to enable log file validation for.
  4. In the trail details pane, click on the pencil icon next to 'Log file SSE-KMS encryption'.
  5. In the 'Edit trail' screen, check the box next to 'Enable log file validation'.
  6. Click on the 'Save' button to apply the changes.
  7. Optionally, you can also enable log file validation using the AWS CLI with the command: aws cloudtrail update-trail --name <trailname> --enable-log-file-validation
  8. Verify that log file validation is enabled for all trails by reviewing the trail settings.

Compliance

PCI DSSCISNISTISO 27001
Start Your Free Security Check