When we created our CloudFormation template, we enabled the creation of digest files. Thanks to those files, we can make sure that no CloudTrail log files (and digest files) were modified or deleted. To do so, we first need to get our Amazon Resource Name (ARN). We can get it using the following command:
$ aws cloudtrail describe-trails { "trailList": [ { "IncludeGlobalServiceEvents": true, "Name": "cloudtrail-myTrail-X85D48OAI8Q4", "TrailARN": "arn:aws:cloudtrail:us-east-1:511912822958:trail/cloudtrail-myTrail-X85D48OAI8Q4", "LogFileValidationEnabled": true, "IsMultiRegionTrail": true, "HasCustomEventSelectors": false, "S3BucketName": "cloudtrail-s3bucket-ce4vw655vhku", "HomeRegion": "us-east-1" } ] }
We can now validate the integrity of our trail for a given period of time as in the following example:
$ aws cloudtrail validate-logs --start-time 2017-02-23T23:30:00Z --end-time 2017-02-24T00:00:00Z --trail-arn arn:aws:cloudtrail:us-east-1:511912822958:trail/cloudtrail-myTrail-X85D48OAI8Q4 Validating log files for trail arn:aws:cloudtrail:us-east-1:511912822958:trail/cloudtrail-myTrail-X85D48OAI8Q4 between 2017-02-23T23:30:00Z and 2017-02-24T00:00:00Z Results requested for 2017-02-23T23:30:00Z to 2017-02-24T00:00:00Z Results found for 2017-02-23T23:30:00Z to 2017-02-24T00:00:00Z: 1/1 digest files valid 32/32 log files valid
Now that we know that our data hasn't been tampered with, we can use it to answer different questions around activities on the account.