Control: AWS > PCI v3.2.1 > CloudTrail > 3 CloudTrail log file validation should be enabled

This control checks whether CloudTrail log file validation is enabled.

It does not check when configurations are altered.

To monitor and alert on log file changes, you can use Amazon EventBridge or CloudWatch metric filters.

Remediation

To enable CloudTrail log file validation

1. Open the CloudTrail console at CloudTrail. 2. In the navigation pane, choose Trails. 3. In the Name column, choose the Trail Name to edit. 4. Under General details, choose Edit. 5. Under Additional settings, for Log file validation,, select Enabled. 6. Choose Save.

PCI requirement(s): 10.5.2, 10.5.5

Resource Types

This control targets the following resource types:

AWS > CloudTrail > Trail

Policies

This control type relies on these other policies when running actions:

AWS > PCI v3.2.1

In Your Workspace

Developers

Control Type URI

tmod:@turbot/aws-pciv3-2-1#/control/types/cloudTrailTrailValidationEnabled

Category URI

tmod:@turbot/turbot#/control/categories/compliancePci

GraphQL

query controlType(id: "tmod:@turbot/aws-pciv3-2-1#/control/types/cloudTrailTrailValidationEnabled") { … }

query controls(filter: "controlTypeId:'tmod:@turbot/aws-pciv3-2-1#/control/types/cloudTrailTrailValidationEnabled'") { … }

CLI

Get Controls

turbot graphql controls --filter "controlTypeId:tmod:@turbot/aws-pciv3-2-1#/control/types/cloudTrailTrailValidationEnabled"