CloudTrail Log File Integrity

• To determine whether a log file was modified, deleted, or unchanged after CloudTrail delivered it, you can use CloudTrail log file integrity validation.

• This feature is built using industry standard algorithms: SHA-256 for hashing and SHA-256 with RSA for digital signing.

• This makes it computationally infeasible to modify, delete or forge CloudTrail log files without detection.

• When you enable log file integrity validation, CloudTrail creates a hash for every log file that it delivers.

• Every hour, CloudTrail also creates and delivers a file that references the log files for the last hour and contains a hash of each called a digest file.

• The digest files are delivered to the same S3 bucket associated with your trail as your CloudTrail log files.

Enabling Log File Integrity Validation for CloudTrail

• To enable log file integrity validation with the CloudTrail console, choose Yes for the Enable log file validation option when you create or update a trail. By default, this feature is enabled for new trails.

• To validate logs with the AWS CLI, use the CloudTrail validate-logs command (this uses the digest files delivered to your Amazon S3 bucket to perform the validation).