8.
Validate the signature by passing in the SHA-256 hash of the string, the public key, and the signature
as parameters to the RSA signature verification algorithm. If the result is true, the digest file is valid.
Validate the Log Files
If the digest file is valid, validate each of the log files that the digest file references.
1.
To validate the integrity of a log file, compute its SHA-256 hash value on its uncompressed content
and compare the results with the hash for the log file recorded in hexadecimal in the digest. If the
hashes match, the log file is valid.
2.
By using the information about the previous digest file that is included in the current digest file,
validate the previous digest files and their corresponding log files in succession.
The following sections describe these steps in detail.
A. Get the Digest File
The first steps are to get the most recent digest file, verify that you have retrieved it from its original
location, verify its digital signature, and get the fingerprint of the public key.
1. Using
S3 Get
or the
AmazonS3Client class
(for example), get the most recent digest file from your
Amazon S3 bucket for the time range that you want to validate.
2.
Check that the S3 bucket and S3 object used to retrieve the file match the S3 bucket S3 object
locations that are recorded in the digest file itself.
3.
Next, get the digital signature of the digest file from the
x-amz-meta-signature
metadata
property of the digest file object in Amazon S3.
4.
In the digest file, get the fingerprint of the public key whose private key was used to sign the digest
file from the
digestPublicKeyFingerprint
field.
B. Retrieve the Public Key for Validating the Digest File
To get the public key to validate the digest file, you can use either the AWS CLI or the CloudTrail API. In
both cases, you specify a time range (that is, a start time and end time) for the digest files that you want
Version 1.0
168
AWS CloudTrail User Guide
Custom Implementations of CloudTrail
Log File Integrity Validation
to validate. One or more public keys may be returned for the time range that you specify. The returned
keys may have validity time ranges that overlap.
Note
Because CloudTrail uses different private/public key pairs per region, each digest file is signed
with a private key unique to its region. Therefore, when you validate a digest file from a
particular region, you must retrieve its public key from the same region.
Use the AWS CLI to Retrieve Public Keys
To retrieve public keys for digest files by using the AWS CLI, use the
cloudtrail list-public-keys
command. The command has the following format:
aws cloudtrail list-public-keys [--start-time <start-time>] [--end-time <end-
time>]
The start-time and end-time parameters are UTC timestamps and are optional. If not specified, the
current time is used, and the currently active public key or keys are returned.
You've reached the end of your free preview.
Want to read all 263 pages?
- Fall '19
- Amazon Web Services, AWS, Amazon Elastic Compute Cloud, AWS CloudTrail
