Control: AWS > PCI v3.2.1 > CloudTrail > 3 CloudTrail log file validation should be enabled
This control checks whether CloudTrail log file validation is enabled.
It does not check when configurations are altered.
To monitor and alert on log file changes, you can use Amazon EventBridge or CloudWatch metric filters.
Remediation
To enable CloudTrail log file validation
- Open the CloudTrail console at CloudTrail.
- In the navigation pane, choose Trails.
- In the Name column, choose the Trail Name to edit.
- Under General details, choose Edit.
- Under Additional settings, for Log file validation,, select Enabled.
- Choose Save.
PCI requirement(s): 10.5.2, 10.5.5
Resource Types
This control targets the following resource types:
Category
In Your Workspace
Developers
- tmod:@turbot/aws-pciv3-2-1#/control/types/cloudTrailTrailValidationEnabled
- tmod:@turbot/turbot#/control/categories/compliancePci
- turbot graphql controls --filter "controlTypeId:tmod:@turbot/aws-pciv3-2-1#/control/types/cloudTrailTrailValidationEnabled"
Get Controls
Control Type URI
Category URI
GraphQL
CLI