Description:
CloudTrail log file validation creates a digitally signed digest file containing a hash of each log that CloudTrail writes to S3. These digest files can be used to determine whether a log file was changed, deleted, or unchanged after CloudTrail delivered the log. It is recommended that file validation be enabled on all CloudTrails.
Rationale:
Enabling log file validation will provide additional integrity checking of CloudTrail logs.
Perform the following to enable log file validation on a given trail:
From Console:
From Command Line:
aws cloudtrail update-trail --name --enable-log-file-validation
Note that periodic validation of logs using these digests can be performed by running the following command:
aws cloudtrail validate-logs --trail-arn --start-time --end-time