Guaranteeing Log File Integrity and Least Privilege Guidelines for Storing AWS CloudTrail Logs

Ensure Security Compliance for AWS CloudTrail Logs

Question

A pharma firm has deployed its application servers on AWS resources across multiple regions.

AWS CloudTrail logs from different regions are delivered to a single Amazon bucket in the us-east-1 region.

To meet audit compliance, Security Head needs to be guaranteed that no log files are modified post-delivery & should follow the least privilege guidelines for storing logs. Which configurations can be done to meet this requirement?

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Correct Answer: A.

Once log file integrity validation is enabled, CloudTrail creates a digest file that references log files & hash for each of the files.

This digest file is delivered in the same Amazon S3 bucket but in a separate folder as that of CloudTrail Log files.

Separate security policies can be implemented on a folder consisting of digest files.

Option B is incorrect as Digest Files are delivered in a separate folder as that of CloudTrail log files.

Options C & D are incorrect as digest files are delivered in the same bucket as that of CloudTrail log files.

For more information on CloudTrail Log File Integrity, refer to the following URL,

https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-log-file-validation-intro.html

To meet the requirement of guaranteeing that no log files are modified post-delivery and to follow the least privilege guidelines for storing logs, the solution needs to enable log file integrity validation and set up a security policy on the Amazon S3 bucket that stores the CloudTrail log files.

Option A, enabling log file integrity validation and setting a security policy on folders consisting of digest files in the same S3 bucket as CloudTrail log files, is not a valid solution since digest files are not the actual log files and cannot be used to validate the integrity of the log files.

Option B, enabling log file integrity validation and setting a security policy on folders consisting of log files in the same S3 bucket as CloudTrail log files, is not a recommended solution since log files should not be stored in the same bucket as the one used for CloudTrail logs. It is best practice to store CloudTrail logs in a dedicated bucket and log files in a separate bucket to avoid any potential access or modification to CloudTrail logs.

Option C, enabling log file integrity validation and setting a security policy on folders consisting of log files in a different S3 bucket from CloudTrail log files, is a recommended solution. This approach ensures that log files are stored in a separate S3 bucket from CloudTrail logs, and therefore, are not accessible by unauthorized users. The security policy can be set to allow only the necessary permissions to the users or roles that need to access the log files.

Option D, enabling log file integrity validation and setting a security policy on folders consisting of digest files in a different S3 bucket from CloudTrail log files, is not a valid solution since digest files cannot be used to validate the integrity of the log files.

In summary, option C is the correct answer as it enables log file integrity validation and sets a security policy on folders consisting of log files in a separate S3 bucket from CloudTrail log files.