Validating CloudTrail logs integrity

When we created our CloudFormation template, we enabled the creation of digest files. Thanks to those files, we can make sure that no CloudTrail log files (and digest files) were modified or deleted. To do so, we first need to get our Amazon Resource Name (ARN). We can get it using the following command:

$ aws cloudtrail describe-trails
{
    "trailList": [
        {
            "IncludeGlobalServiceEvents": true,
            "Name": "cloudtrail-myTrail-X85D48OAI8Q4",
            "TrailARN": "arn:aws:cloudtrail:us-east-1:511912822958:trail/cloudtrail-myTrail-X85D48OAI8Q4",
            "LogFileValidationEnabled": true,
            "IsMultiRegionTrail": true,
            "HasCustomEventSelectors": false,
            "S3BucketName": "cloudtrail-s3bucket-ce4vw655vhku",
            "HomeRegion": "us-east-1"
        }
    ]
}

We can now validate the integrity of our trail for a given period of time as in the following example:

$ aws cloudtrail validate-logs 
      --start-time 2017-02-23T23:30:00Z 
      --end-time 2017-02-24T00:00:00Z 
      --trail-arn arn:aws:cloudtrail:us-east-1:511912822958:trail/cloudtrail-myTrail-X85D48OAI8Q4
    
Validating log files for trail arn:aws:cloudtrail:us-east-1:511912822958:trail/cloudtrail-myTrail-X85D48OAI8Q4 between 2017-02-23T23:30:00Z and 2017-02-24T00:00:00Z
    
Results requested for 2017-02-23T23:30:00Z to 2017-02-24T00:00:00Z
Results found for 2017-02-23T23:30:00Z to 2017-02-24T00:00:00Z:
    
1/1 digest files valid
32/32 log files valid

Now that we know that our data hasn't been tampered with, we can use it to answer different questions around activities on the account.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset