Amazon Web Services Management Console Amazon CLI CloudTrail API

Enabling log file integrity validation for CloudTrail

You can enable log file integrity validation by using the Amazon Web Services Management Console, Amazon Command Line Interface (Amazon CLI), or CloudTrail API. CloudTrail starts delivering digest files in about an hour.

Amazon Web Services Management Console

To enable log file integrity validation with the CloudTrail console, choose Yes for the Enable log file validation option when you create or update a trail. By default, this feature is enabled for new trails. For more information, see Creating and updating a trail with the console.

Amazon CLI

To enable log file integrity validation with the Amazon CLI, use the --enable-log-file-validation option with the create-trail or update-trail commands. To disable log file integrity validation, use the --no-enable-log-file-validation option.

Example

The following update-trail command enables log file validation and starts delivering digest files to the Amazon S3 bucket for the specified trail.


aws cloudtrail update-trail --name your-trail-name --enable-log-file-validation

CloudTrail API

To enable log file integrity validation with the CloudTrail API, set the EnableLogFileValidation request parameter to true when calling CreateTrail or UpdateTrail.

For more information, see CreateTrail and UpdateTrail in the Amazon CloudTrail API Reference.

Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Validating CloudTrail log file integrity

Validating CloudTrail log file integrity with the Amazon CLI