aws cloudtrail validate-logs

Validates CloudTrail logs for a given period of time. This command uses the digest files delivered to your S3 bucket to perform the validation. The AWS CLI allows you to detect the following types of changes: - Modification or deletion of CloudTrail log files. - Modification or deletion of CloudTrail digest files. To validate log files with the AWS CLI, the following preconditions must be met: - You must have online connectivity to AWS. - You must have read access to the S3 bucket that contains the digest and log files. - The digest and log files must not have been moved from the original S3 location where CloudTrail delivered them. - For organization trails you must have access to describe-organization to validate digest files When you disable Log File Validation, the chain of digest files is broken after one hour. CloudTrail will not digest log files that were delivered during a period in which the Log File Validation feature was disabled. For example, if you enable Log File Validation on January 1, disable it on January 2, and re-enable it on January 10, digest files will not be created for the log files delivered from January 3 to January 9. The same applies whenever you stop CloudTrail logging or delete a trail. .. note:: Log files that have been downloaded to local disk cannot be validated with the AWS CLI. The CLI will download all log files each time this command is executed. .. note:: This command requires that the role executing the command has permission to call ListObjects, GetObject, and GetBucketLocation for each bucket referenced by the trail.

Options