Skip to main content
emnode / learn
Compliance Low severity

AWS Security Hub · CloudTrail

CloudTrail.4: CloudTrail log file validation should be enabled

Written and reviewed by Emnode · Last reviewed

What does AWS Security Hub CloudTrail.4 check?

CloudTrail.4 fails when a trail does not have log file validation enabled. Validation produces hourly signed digest files that make the trail tamper-evident.

Why does CloudTrail.4 matter?

Without validation you can't prove a log file wasn't altered or deleted after the fact, which is exactly what an attacker covering their tracks would do. Each digest references the previous hour's by hash, forming a chain back to when validation was first enabled — so deleting one incriminating file and its digest still breaks the chain at that hour. Forging it cleanly would need AWS's private signing key, which never leaves AWS.

How do I fix CloudTrail.4?

  1. Enable validation on the trail by setting --enable-log-file-validation via update-trail.
  2. Periodically verify integrity with cloudtrail validate-logs and investigate any broken-chain report.
  3. Enforce validation on every trail across all accounts and Regions through your baseline so it can't be silently turned off.

Remediation script · bash

# Create one multi-Region trail that satisfies the whole CloudTrail family.
aws cloudtrail create-trail \
  --name org-audit-trail \
  --s3-bucket-name my-cloudtrail-logs-bucket \
  --is-multi-region-trail \
  --include-global-service-events \
  --enable-log-file-validation \
  --cloud-watch-logs-log-group-arn arn:aws:logs:us-east-1:111122223333:log-group:/aws/cloudtrail/org:* \
  --cloud-watch-logs-role-arn arn:aws:iam::111122223333:role/CloudTrail_CloudWatchLogs_Role

# Capture read AND write management events (not data events, which are billed per event).
aws cloudtrail put-event-selectors --trail-name org-audit-trail \
  --event-selectors ReadWriteType=All,IncludeManagementEvents=true

# Defining the trail does not record anything: start it, then verify it is logging.
aws cloudtrail start-logging --name org-audit-trail
aws cloudtrail get-trail-status --name org-audit-trail --query IsLogging --output text

# For org-wide coverage, recreate with --is-organization-trail from the management
# or delegated-admin account so every member account inherits it automatically.

Full walkthrough (console steps, edge cases and verification) in the lesson Enable CloudTrail and API activity logging.

Full lesson Enable CloudTrail and API activity logging Step-by-step remediation with CLI, code and persona-specific context.
AWS documentation for CloudTrail controls ↗ Check your own account for CloudTrail.4 →
Part of the learning path See what's happening

More CloudTrail controls

  • CloudTrail.1 No multi-Region trail captures read/write management events
  • CloudTrail.2 CloudTrail logs are not KMS-encrypted
  • CloudTrail.3 No CloudTrail trail is enabled at all
  • CloudTrail.5 CloudTrail is not wired to CloudWatch for alerting
  • CloudTrail.6 The CloudTrail log bucket is publicly accessible
  • CloudTrail.7 Enable access logging on the CloudTrail S3 bucket
  • CloudTrail.10 CloudTrail Lake stores should use customer-managed KMS