Skip to content

Files

Latest commit

 

History

History
48 lines (35 loc) · 1.14 KB

aws-cloudtrail-enable-log-validation.md

File metadata and controls

48 lines (35 loc) · 1.14 KB

Pattern: Disabled log validation for AWS CloudTrail

Issue: -

Description

Log validation should be activated on CloudTrail logs to prevent the tampering of the underlying data in the S3 bucket. It is feasible that a rogue actor compromising an AWS account might want to modify the log data to remove trace of their actions.

Resolution: Turn on log validation for CloudTrail.

Examples

Example of incorrect code:

resource "aws_cloudtrail" "bad_example" {
  is_multi_region_trail = true

  event_selector {
    read_write_type           = "All"
    include_management_events = true

    data_resource {
      type = "AWS::S3::Object"
      values = ["${data.aws_s3_bucket.important-bucket.arn}/"]
    }
  }
}

Example of correct code:

resource "aws_cloudtrail" "good_example" {
  is_multi_region_trail = true
  enable_log_file_validation = true

  event_selector {
    read_write_type           = "All"
    include_management_events = true

    data_resource {
      type = "AWS::S3::Object"
      values = ["${data.aws_s3_bucket.important-bucket.arn}/"]
    }
  }
}