Drata validates that AWS CloudTrail log validation is enabled on all trails.

CloudTrail log file validation creates a digitally signed digest file containing a hash of
each log that CloudTrail writes to S3. These digest files can be used to determine
whether a log file was changed, deleted, or unchanged after CloudTrail delivered the
log. It is recommended that file validation be enabled on all CloudTrails.

This test is part of the Change Detection Mechanism control (DCF-478) that ensures your company has enabled file integrity monitoring or a change-detection mechanism to detect unauthorized modification (including changes, additions, and deletions) of critical system files, configuration files, audit files, or content files to ensure critical data cannot be changed without generating alerts.

If it appears that AWS CloudTrail log validation is not enabled on one or more trails, your test will fail. Enabling log file validation will provide additional integrity checking of CloudTrail logs.

Note: Do this for each trail that is failing this test.

1. Sign in to the AWS Management Console and open the IAM console at.
2. Click on Trails on the left navigation pane.
3. Click on a trail that's failing this test.
4. Within the 'General details' section click edit.
5. Under the 'Advanced settings' section ensure that 'Enable' is checked under 'Log file validation' and save changes.
​

This test aligns with the Center for Internet Security’s (CIS) foundation benchmarks which provides prescriptive guidance for establishing a secure baseline configuration for Amazon Web Services. To learn more, refer to the Center for Internet Security (CIS) section.