0PricingLogin
AWS Security Academy · Lesson

CloudTrail Log File Validation

Use digest files to prove logs were not modified after delivery.

Proving Integrity

CloudTrail log file validation lets you prove that log files delivered to S3 were not modified, deleted, or forged after CloudTrail wrote them. It is the feature that turns "we hope the logs are intact" into "we can cryptographically demonstrate they are." Enabling it is a one-click best practice on any trail.

How Validation Works

When enabled, CloudTrail creates a digest file every hour that references the log files delivered in that period and contains a hash of each. The digest files are themselves signed. Together they form a chain that lets you verify both that each log file is unchanged and that none are missing.

All lessons in this course

  1. Why Log Tampering Is a Threat
  2. CloudTrail Log File Validation
  3. Locking Down Log Storage Buckets
  4. Centralized Log Archive Accounts
← Back to AWS Security Academy