Policy: AWS > CIS v2.0 > 3 - Logging > 3.02 - Ensure CloudTrail log file validation is enabled

Configures auditing against a CIS Benchmark item.

Level: 2

CloudTrail log file validation creates a digitally signed digest file containing a hash of each log that CloudTrail writes to S3. These digest files can be used to determine whether a log file was changed, deleted, or unchanged after CloudTrail delivered the log. It is recommended that file validation be enabled on all CloudTrails.

Resource Types

This policy targets the following resource types:

AWS > CloudTrail > Trail

Primary Policy

This policy is used with the following primary policy:

AWS > CIS v2.0 > 3 - Logging

Controls

Policy Specification

Schema Type	`string`
Default	`Per AWS > CIS v2.0 > 3 - Logging`
Valid Values [YAML]	`Per AWS > CIS v2.0 > 3 - Logging` `Skip` `Check: Benchmark`

In Your Workspace

Policy Settings by Type report

Developers

Category URI

tmod:@turbot/cis#/control/categories/v0706

Policy Type URI

tmod:@turbot/aws-cisv2-0#/policy/types/r0302

GraphQL

query policyType(id: "tmod:@turbot/aws-cisv2-0#/policy/types/r0302") { … }

query policySettings(filter: "policyTypeId:'tmod:@turbot/aws-cisv2-0#/policy/types/r0302'") { … }

query policyValues(filter: "policyTypeId:'tmod:@turbot/aws-cisv2-0#/policy/types/r0302'") { … }

CLI

Get Policy Type

turbot graphql policy-type --id "tmod:@turbot/aws-cisv2-0#/policy/types/r0302"

Get Policy Settings

turbot graphql policy-settings --filter "policyTypeId:tmod:@turbot/aws-cisv2-0#/policy/types/r0302"