Your CTO thinks your AWS account was hacked.
As CloudTrail has been enabled in the AWS account, you want to analyze the API activities from the logs.
How would you ensure that the CloudTrail log files were not modified or deleted after CloudTrail delivered them?
Click on the arrows to vote for the correct answer
A. B. C. D.Answer - A.
The AWS Documentation mentions the following.
To determine whether a log file was modified, deleted, or unchanged after CloudTrail delivered it, you can use CloudTrail log file integrity validation.
This feature is built using industry standard algorithms: SHA-256 for hashing and SHA-256 with RSA for digital signing.
This makes it computationally infeasible to modify, delete or forge CloudTrail log files without detection.
You can use the AWS CLI to validate the files in the location where CloudTrail delivered them.
Validated log files are invaluable in security and forensic investigations.
For example, a validated log file enables you to assert positively that the log file itself has not changed, or that particular user credentials performed specific API activity.
The CloudTrail log file integrity validation process also lets you know if a log file has been deleted or changed, or assert positively that no log files were delivered to your account during a given period of time.
Options B, C and D are invalid because you need to check for Log File Integrity Validation for CloudTrail logs.
For more information on CloudTrail log file validation, please visit the below URL:
http://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-log-file-validation-intro.htmlTo ensure that the CloudTrail log files were not modified or deleted after CloudTrail delivered them, you can use CloudTrail Log File Integrity Validation, which is an AWS service that automatically validates the integrity of the log files in S3. When enabled, this feature creates an additional digest file, which contains a cryptographic hash of each log file that CloudTrail delivers to the designated S3 bucket. This hash is calculated using the SHA-256 algorithm, and it's stored in the same bucket as the log file, but with a .digest suffix.
By comparing the hash of the original log file with the hash in the corresponding .digest file, you can verify that the log file has not been tampered with. This process can be automated using AWS Lambda and Amazon SNS to receive notifications when a log file fails integrity validation.
AWS Config SNS Subscriptions and processing events in real-time (Option B) does not provide a mechanism for validating log file integrity, but rather monitors and evaluates the configuration of AWS resources for compliance against predefined rules. This option is more suited for monitoring changes to AWS resources than log file integrity validation.
Using CloudTrail backed up to AWS S3 and Glacier (Option C) can help you store CloudTrail logs for compliance, auditing, and forensic purposes, but it does not address the issue of log file integrity validation.
AWS Config Timeline forensics (Option D) can help you investigate security incidents by providing a timeline view of resource changes and API calls, but it does not provide a mechanism for validating the integrity of CloudTrail log files.
Therefore, the correct answer is A. Use CloudTrail Log File Integrity Validation.