Insufficient data authenticity validation - CloudTrail Logs - Cloudformation

Need

Improved data authenticity validation for CloudTrail Logs

Context

1. Usage of CloudFormation for Infrastructure as Code (IaC)
2. Usage of AWS CloudTrail for logging and monitoring AWS API activity
3. Usage of AWS S3 Bucket for storing and retrieving files

Description

Insecure Code Example

Resources:
  Trail:
    Type: AWS::CloudTrail::Trail
    Properties:
      TrailName: example
      S3BucketName: !Ref LogBucket
      S3KeyPrefix: prefix
      IncludeGlobalServiceEvents: true

The above CloudFormation code creates a CloudTrail trail that sends logs to an S3 bucket. However, it does not enable log file integrity validation. Without this attribute, there is no guarantee that the log files have not been tampered with. An attacker could manipulate logs without triggering detection, compromising the authenticity and trustworthiness of audit data.

Steps

1. Add the `EnableLogFileValidation` property to the CloudTrail resource.
2. Set its value to `true` to enforce integrity checks on CloudTrail logs.
3. Redeploy the CloudFormation stack with the updated configuration.

Secure Code Example

Resources:
  Trail:
    Type: AWS::CloudTrail::Trail
    Properties:
      TrailName: example
      S3BucketName: !Ref LogBucket
      S3KeyPrefix: prefix
      IncludeGlobalServiceEvents: true
      EnableLogFileValidation: true

This updated CloudFormation code enables log file integrity validation using the `EnableLogFileValidation` attribute. When enabled, CloudTrail generates hash digests for log files and signs them with a private key. AWS validates these digests on retrieval to ensure logs have not been modified, helping preserve the authenticity of audit trails.

References

Last updated

2025/04/04