Validating CloudTrail log file integrity

Ensuring Trustworthy CloudTrail Logs: A Deep Dive into Log File Integrity Validation

Keeping a close eye on your AWS account activity is crucial for security and maintaining control. CloudTrail, an AWS service, acts as a digital watchdog, recording every API call made within your account. But how can you be certain these logs haven't been tampered with? This is where CloudTrail log file integrity validation comes in.

Why Validate Your Logs?

Imagine a scenario where someone alters a CloudTrail log file to hide unauthorized activity. Validated logs, on the other hand, provide a strong layer of assurance:

• Unaltered History: You can confidently assert that the log files haven't been modified, deleted, or forged. This strengthens the foundation for security investigations and forensic analysis.
• Identifying Missing Logs: The validation process can also reveal missing log files, indicating potential gaps in your activity record.
• Verifying User Activity: You can confirm that specific user credentials were indeed responsible for certain API actions.

How Does It Work?

CloudTrail leverages industry-standard algorithms to achieve this validation:

• Hashing with SHA-256: Each log file undergoes a transformation into a unique fingerprint using this hashing algorithm. Any alteration to the file content will result in a completely different fingerprint.
• Digital Signing with RSA: CloudTrail creates "digest files" every hour, containing references to all log files delivered in that timeframe. Each digest file is digitally signed using a private key, ensuring its authenticity.

These digest files are delivered to the same S3 bucket as your CloudTrail logs, placed in a separate folder for better organization. Additionally, each digest file contains the digital signature of the previous one, forming a secure chain.

Where's the Information Stored?

Both CloudTrail log files and digest files can be stored securely and cost-effectively in Amazon S3 or S3 Glacier for long-term retention. For enhanced security of digest files, you can leverage Amazon S3 MFA Delete, requiring multi-factor authentication for deletion attempts.

Enabling and Validating

There are three ways to enable log file integrity validation:

• AWS Management Console: A straightforward option for enabling validation directly from the console.
• AWS CLI: The AWS Command Line Interface offers more granular control for programmatic configuration.
• CloudTrail API: For advanced users, the CloudTrail API allows programmatic integration with your existing workflows.

Once enabled, CloudTrail delivers digest files, but the actual validation process is separate. You can utilize the AWS CLI to validate files in their original location. If you've moved the logs elsewhere, you'll need to develop custom validation tools.

For detailed instructions on using the AWS CLI or creating custom implementations, refer to the official AWS documentation (link not provided due to privacy policy).

Understanding Digest File Content

CloudTrail digest file structure

{
  "awsAccountId": "111122223333",
  "digestStartTime": "2015-08-17T14:01:31Z",
  "digestEndTime": "2015-08-17T15:01:31Z",
  "digestS3Bucket": "S3-bucket-name",
  "digestS3Object": "AWSLogs/111122223333/CloudTrail-Digest/us-east-2/2015/08/17/111122223333_CloudTrail-Digest_us-east-2_your-trail-name_us-east-2_20150817T150131Z.json.gz",
  "digestPublicKeyFingerprint": "31e8b5433410dfb61a9dc45cc65b22ff",
  "digestSignatureAlgorithm": "SHA256withRSA",
  "newestEventTime": "2015-08-17T14:52:27Z",
  "oldestEventTime": "2015-08-17T14:42:27Z",
  "previousDigestS3Bucket": "S3-bucket-name",
  "previousDigestS3Object": "AWSLogs/111122223333/CloudTrail-Digest/us-east-2/2015/08/17/111122223333_CloudTrail-Digest_us-east-2_your-trail-name_us-east-2_20150817T140131Z.json.gz",
  "previousDigestHashValue": "97fb791cf91ffc440d274f8190dbdd9aa09c34432aba82739df18b6d3c13df2d",
  "previousDigestHashAlgorithm": "SHA-256",
  "previousDigestSignature": "50887ccffad4c002b97caa37cc9dc626e3c680207d41d27fa5835458e066e0d3652fc4dfc30937e4d5f4cc7f796e7a258fb50a43ac427f2237f6e505d4efaf373d156e15e3b68dea9f58111d395b62628d6bd367a9024d2183b5c5f6e19466d3a996b92df705bc997b8a0e13430f241d733cf95df4e41bb6c304c3f58363043572ea57a27085639ce187e679c0d81c7519b1184fa77fb7ab0b0e40a32dace6e1eefc3995c5ae182da49b62b26398cebb52a2201a6387b75b89c83e5570bcb9bba6c34a80f2f00a1c6ebe07d1ff149eccd812dc805bb3eeff6657db32a6cb48d2d096404eb76181877bc6ebb8cd0b23f823200155b2fd8848d428e46e8456328a",
  "logFiles": [
    {
      "s3Bucket": "S3-bucket-name",
      "s3Object": "AWSLogs/111122223333/CloudTrail/us-east-2/2015/08/17/111122223333_CloudTrail_us-east-2_20150817T1445Z_9nYN7gp2eWAJHIfT.json.gz",
      "hashValue": "9bb6196fc6b84d6f075a56548feca262bd99ba3c2de41b618e5b6e22c1fc71f6",
      "hashAlgorithm": "SHA-256",
      "newestEventTime": "2015-08-17T14:52:27Z",
      "oldestEventTime": "2015-08-17T14:42:27Z"
    }
  ]
}        

The sample digest file structure provided offers valuable insights into the information it contains:

• Account Identification: The AWS account ID associated with the log files.
• Digest Timeframe: The start and end times of the period covered by the digest file.
• S3 Bucket and Object Details: Information about the S3 bucket where the digest file resides and its specific file name.
• Public Key Fingerprint: A unique identifier for the public key used to validate the digest file's signature.
• Signature Algorithm: The cryptographic algorithm used to sign the digest file (SHA256withRSA in this case).
• Event Time Range: The timeframe of the events captured in the referenced log files.
• Previous Digest Details: Information about the previous digest file, including its location, hash value, and signature algorithm. This establishes a chain of trust between digest files.
• Log File Entries: An array containing details for each log file referenced in the digest, such as S3 bucket and object location, hash value, and event time range.

By employing CloudTrail log file integrity validation, you gain a powerful tool to ensure the trustworthiness and reliability of your CloudTrail logs. This, in turn, strengthens your security posture and empowers you to make informed decisions based on accurate activity records.

Follow Neeraj Pandey For More Useful Articles