CloudTrail log file validation should be enabled
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。
Description
CloudTrail log file validation creates a digitally signed digest file containing a hash of each log that CloudTrail writes to S3. Use these digest files to determine whether a log file was changed, deleted, or unchanged after CloudTrail delivered the log. You should enable file validation on all CloudTrails.
Rationale
Enabling log file validation will provide additional integrity checking of CloudTrail logs.
Perform the following to enable log file validation on a given trail.
From the console
Open the IAM console.
Click Trails in the left navigation pane.
Select the target trail.
In the General details section, click Edit.
In the Advanced settings section:
- Check the
enable
box under Log file validation. - Click Save to save your changes.
From the command line
Update target trail with the following command:
aws cloudtrail update-trail --name <trail_name> \
--enable-log-file-validation
Default value
Not Enabled
References
- http://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-log-file-validation-enabling.html