Protecting the Integrity of CloudTrail Log Files

Combination of Steps to Ensure Log File Integrity

Question

A company uses CloudTrail to log all AWS API activity for all regions in all of its accounts.

The CISO has asked that additional steps be taken to protect the integrity of the log files. What combination of steps will protect the log files from intentional or unintentional alteration? Choose 2 answers from the options given below.

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D. E.

Answer: A and C.

Option A is CORRECT because this would be a best practice to have all accounts write and store their CloudTrail log files under a single S3 bucket.

Option B is incorrect because querying the Trusted Advisor CloudTrail is not possible.

Option C is CORRECT because to determine whether a log file was modified, deleted, or unchanged after CloudTrail delivered it, you can use CloudTrail log file integrity validation.

This feature is built using industry-standard algorithms such as SHA-256 for hashing and SHA-256 with RSA for digital signing.

This makes it computationally infeasible to modify, delete or forge CloudTrail log files without detection.

Option D is incorrect because the Systems Manager cannot be used as a service to monitor access policies.

Option E is incorrect because Security Groups are used for EC2 Instances and not S3 buckets.

For more information on CloudTrail log file validation, kindly refer to the below URL:

https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-log-file-validation-intro.html

For more information on delivering CloudTrail logs from multiple accounts, kindly refer to the below URL:

https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-receive-logs-from-multiple-accounts.html

The CISO has requested additional measures to protect the integrity of the AWS API activity log files that are being logged using CloudTrail. There are multiple measures that can be taken to safeguard the integrity of the log files, and two correct options are required from the available ones:

A. Create an S3 bucket in a dedicated log account and grant the other accounts write-only access. Deliver all log files from every account to this S3 bucket. C. Enable CloudTrail log file integrity validation.

Option A involves setting up a dedicated AWS account for logging purposes and creating an S3 bucket in it. All other AWS accounts in use by the company will be granted write-only access to this S3 bucket. The logs generated by CloudTrail in each account will be delivered to this S3 bucket, which will store all logs in a centralized location. This will ensure that the logs cannot be tampered with, as write-only access is granted, preventing anyone from deleting or modifying the logs in any way. Moreover, the centralized logging solution can provide a comprehensive view of all the logs from different accounts, making it easy to detect anomalies.

Option C involves enabling CloudTrail log file integrity validation, which is a feature of CloudTrail. This feature helps ensure that the log files have not been modified during their transmission or storage. CloudTrail uses SHA-256 hash algorithms to calculate a hash value for each log file. It then compares the hash value of the original log file with the hash value of the delivered log file to ensure that they match. If the hash values do not match, it indicates that the log files have been modified in transit or storage, and the system will issue an alert to notify the administrators.

Option B, writing a Lambda function that queries the Trusted Advisor CloudTrail checks and running it every 10 minutes, is incorrect, as it doesn't protect the integrity of the log files.

Option D, using Systems Manager Configuration Compliance to continually monitor the access policies of S3 buckets containing CloudTrail logs, is incorrect, as it doesn't protect the integrity of the log files. Instead, it is used to monitor and audit access policies.

Option E, creating a Security Group that blocks all traffic except calls from the CloudTrail service and associating it with all the CloudTrail destination S3 buckets, is incorrect. It doesn't protect the integrity of the log files, but it ensures that only the CloudTrail service can access the S3 bucket, preventing unauthorized access.

In conclusion, options A and C should be implemented to ensure the integrity of the log files, with option A providing a centralized logging solution, and option C enabling CloudTrail log file integrity validation.