[ aws . cloudtrail ]
Validates CloudTrail logs for a given period of time.
This command uses the digest files delivered to your S3 bucket to perform the validation.
The AWS CLI allows you to detect the following types of changes:
Modification or deletion of CloudTrail log files.
Modification or deletion of CloudTrail digest files.
To validate log files with the AWS CLI, the following preconditions must be met:
You must have online connectivity to AWS.
You must have read access to the S3 bucket that contains the digest and log files.
The digest and log files must not have been moved from the original S3 location where CloudTrail delivered them.
For organization trails you must have access to describe-organization to validate digest files
When you disable Log File Validation, the chain of digest files is broken after one hour. CloudTrail will not digest log files that were delivered during a period in which the Log File Validation feature was disabled. For example, if you enable Log File Validation on January 1, disable it on January 2, and re-enable it on January 10, digest files will not be created for the log files delivered from January 3 to January 9. The same applies whenever you stop CloudTrail logging or delete a trail.
Note
Log files that have been downloaded to local disk cannot be validated with the AWS CLI. The CLI will download all log files each time this command is executed.
Note
This command requires that the role executing the command has permission to call ListObjects, GetObject, and GetBucketLocation for each bucket referenced by the trail.
See ‘aws help’ for descriptions of global parameters.
validate-logs
--trail-arn <value>
--start-time <value>
[--end-time <value>]
[--s3-bucket <value>]
[--s3-prefix <value>]
[--account-id <value>]
[--verbose]
--trail-arn
(string)
Specifies the ARN of the trail to be validated
--start-time
(string)
Specifies that log files delivered on or after the specified UTC timestamp value will be validated. Example: “2015-01-08T05:21:42Z”.
--end-time
(string)
Optionally specifies that log files delivered on or before the specified UTC timestamp value will be validated. The default value is the current time. Example: “2015-01-08T12:31:41Z”.
--s3-bucket
(string)
Optionally specifies the S3 bucket where the digest files are stored. If a bucket name is not specified, the CLI will retrieve it by calling describe_trails
--s3-prefix
(string)
Optionally specifies the optional S3 prefix where the digest files are stored. If not specified, the CLI will determine the prefix automatically by calling describe_trails.
--account-id
(string)
Optionally specifies the account for validating logs. This parameter is needed for organization trails for validating logs for specific account inside an organization
--verbose
(boolean)
Display verbose log validation information
See ‘aws help’ for descriptions of global parameters.
To validate a log file
The following validate-logs
command validates the logs for Trail1
:
aws cloudtrail validate-logs --trail-arn arn:aws:cloudtrail:us-east-1:123456789012:trail/Trail1 --start-time 20160129T19:00:00Z
Output:
Validating log files for trail arn:aws:cloudtrail:us-east-1:123456789012:trail/Trail1 between 2016-01-29T19:00:00Z and 2016-01-29T22:15:43Z
Results requested for 2016-01-29T19:00:00Z to 2016-01-29T22:15:43Z
Results found for 2016-01-29T19:24:57Z to 2016-01-29T21:24:57Z:
3/3 digest files valid
15/15 log files valid