logo

Database

Terraform Log File Validation Disabled

Description

Detects when AWS CloudTrail trails are configured without log file validation enabled. This vulnerability could allow an attacker to modify, delete or forge CloudTrail log files without detection, potentially hiding malicious activities.

Weakness:

394 - Insufficient data authenticity validation - Cloudtrail Logs

Category: Functionality Abuse

Detection Strategy

    Identifies AWS CloudTrail resource definitions in infrastructure code

    Checks if the resource has log file validation explicitly enabled

    Reports a security issue if log file validation is disabled or not configured

    Specifically looks for 'aws_cloudtrail' resources with missing or disabled validation settings

Vulnerable code example

resource "aws_cloudtrail" "vulnerable_trail" {
  enable_log_file_validation = false  # Vulnerable: Explicitly disables log file validation, allowing potential tampering
  name                      = "vulnerable-trail"
  s3_bucket_name           = aws_s3_bucket.logs.id
}

resource "aws_cloudtrail" "also_vulnerable_trail" {
  name                     = "also-vulnerable-trail"  # Vulnerable: Missing enable_log_file_validation defaults to false...

✅ Secure code example

resource "aws_cloudtrail" "secure_trail" {
  enable_log_file_validation = true  # Enable log validation to prevent log tampering
  name                      = "secure-trail"
  s3_bucket_name           = aws_s3_bucket.logs.id
}

resource "aws_cloudtrail" "also_secure_trail" {
  enable_log_file_validation = true  # Explicitly enable log validation instead of relying on default...