This preview shows page 173 - 175 out of 263 pages.
8.Validate the signature by passing in the SHA-256 hash of the string, the public key, and the signatureas parameters to the RSA signature verification algorithm. If the result is true, the digest file is valid.Validate the Log FilesIf the digest file is valid, validate each of the log files that the digest file references.1.To validate the integrity of a log file, compute its SHA-256 hash value on its uncompressed contentand compare the results with the hash for the log file recorded in hexadecimal in the digest. If thehashes match, the log file is valid.2.By using the information about the previous digest file that is included in the current digest file,validate the previous digest files and their corresponding log files in succession.The following sections describe these steps in detail.A. Get the Digest FileThe first steps are to get the most recent digest file, verify that you have retrieved it from its originallocation, verify its digital signature, and get the fingerprint of the public key.1. Using S3 Getor the AmazonS3Client class (for example), get the most recent digest file from yourAmazon S3 bucket for the time range that you want to validate.2.Check that the S3 bucket and S3 object used to retrieve the file match the S3 bucket S3 objectlocations that are recorded in the digest file itself.3.Next, get the digital signature of the digest file from the x-amz-meta-signaturemetadataproperty of the digest file object in Amazon S3.4.In the digest file, get the fingerprint of the public key whose private key was used to sign the digestfile from the digestPublicKeyFingerprintfield.B. Retrieve the Public Key for Validating the Digest FileTo get the public key to validate the digest file, you can use either the AWS CLI or the CloudTrail API. Inboth cases, you specify a time range (that is, a start time and end time) for the digest files that you wantVersion 1.0168
AWS CloudTrail User GuideCustom Implementations of CloudTrailLog File Integrity Validation to validate. One or more public keys may be returned for the time range that you specify. The returnedkeys may have validity time ranges that overlap.NoteBecause CloudTrail uses different private/public key pairs per region, each digest file is signedwith a private key unique to its region. Therefore, when you validate a digest file from aparticular region, you must retrieve its public key from the same region.Use the AWS CLI to Retrieve Public KeysTo retrieve public keys for digest files by using the AWS CLI, use the cloudtrail list-public-keyscommand. The command has the following format:aws cloudtrail list-public-keys [--start-time <start-time>] [--end-time <end-time>]The start-time and end-time parameters are UTC timestamps and are optional. If not specified, thecurrent time is used, and the currently active public key or keys are returned.
You've reached the end of your free preview.
Want to read all 263 pages?
Amazon Web Services, AWS, Amazon Elastic Compute Cloud, AWS CloudTrail