aws-cloudtrail-validation-off

Ensure CloudTrail log file validation is enabled

Examples

Insecure Example

Terraform

resource "aws_cloudtrail" "bigcorp" {
  name                          = "tf-trail-bigcorp"
  s3_bucket_name                = aws_s3_bucket.bigcorp.id
  enable_log_file_validation    = false # default
}

CloudFormation

myTrail:
  DependsOn:
    - BucketPolicy
    - TopicPolicy
  Type: AWS::CloudTrail::Trail
  Properties:
    S3BucketName:
      Ref: S3Bucket
    EnableLogFileValidation: false
    IsLogging: true

Secure Example

Terraform

resource "aws_cloudtrail" "bigcorp" {
  name                          = "tf-trail-bigcorp"
  s3_bucket_name                = aws_s3_bucket.bigcorp.id
  enable_log_file_validation    = true
}

CloudFormation

myTrail:
  DependsOn:
    - BucketPolicy
    - TopicPolicy
  Type: AWS::CloudTrail::Trail
  Properties:
    S3BucketName:
      Ref: S3Bucket
    EnableLogFileValidation: true
    IsLogging: true

More information

• AWS Docs
• Terraform Docs
• Cloudformation Docs