CloudTrail digest file structure
Each digest file contains the names of the log files that were delivered to your Amazon S3 bucket during the last hour, the hash values for those log files, and the digital signature of the previous digest file. The signature for the current digest file is stored in the metadata properties of the digest file object. The digital signatures and hashes are used for validating the integrity of the log files and of the digest file itself.
Digest file location
Digest files are delivered to an Amazon S3 bucket location that follows this syntax.
s3://
amzn-s3-demo-bucket
/optional-prefix/
AWSLogs/aws-account-id
/CloudTrail-Digest/region
/digest-end-year
/digest-end-month
/digest-end-date
/aws-account-id
_CloudTrail-Digest_region_trail-name
_region_digest
_end_timestamp
.json.gz
Note
For organization trails, the bucket location also includes the organization unit ID, as follows:
s3://
amzn-s3-demo-bucket
/optional-prefix/
AWSLogs/O-ID
/aws-account-id
/CloudTrail-Digest/region
/digest-end-year
/digest-end-month
/digest-end-date
/aws-account-id
_CloudTrail-Digest_region_trail-name
_region_digest
_end_timestamp
.json.gz
Sample digest file contents
The following example digest file contains information for a CloudTrail log.
{ "awsAccountId": "111122223333", "digestStartTime": "2015-08-17T14:01:31Z", "digestEndTime": "2015-08-17T15:01:31Z", "digestS3Bucket": "amzn-s3-demo-bucket", "digestS3Object": "AWSLogs/111122223333/CloudTrail-Digest/us-east-2/2015/08/17/111122223333_CloudTrail-Digest_us-east-2_your-trail-name_us-east-2_20150817T150131Z.json.gz", "digestPublicKeyFingerprint": "31e8b5433410dfb61a9dc45cc65b22ff", "digestSignatureAlgorithm": "SHA256withRSA", "newestEventTime": "2015-08-17T14:52:27Z", "oldestEventTime": "2015-08-17T14:42:27Z", "previousDigestS3Bucket": "amzn-s3-demo-bucket", "previousDigestS3Object": "AWSLogs/111122223333/CloudTrail-Digest/us-east-2/2015/08/17/111122223333_CloudTrail-Digest_us-east-2_your-trail-name_us-east-2_20150817T140131Z.json.gz", "previousDigestHashValue": "97fb791cf91ffc440d274f8190dbdd9aa09c34432aba82739df18b6d3c13df2d", "previousDigestHashAlgorithm": "SHA-256", "previousDigestSignature": "50887ccffad4c002b97caa37cc9dc626e3c680207d41d27fa5835458e066e0d3652fc4dfc30937e4d5f4cc7f796e7a258fb50a43ac427f2237f6e505d4efaf373d156e15e3b68dea9f58111d395b62628d6bd367a9024d2183b5c5f6e19466d3a996b92df705bc997b8a0e13430f241d733cf95df4e41bb6c304c3f58363043572ea57a27085639ce187e679c0d81c7519b1184fa77fb7ab0b0e40a32dace6e1eefc3995c5ae182da49b62b26398cebb52a2201a6387b75b89c83e5570bcb9bba6c34a80f2f00a1c6ebe07d1ff149eccd812dc805bb3eeff6657db32a6cb48d2d096404eb76181877bc6ebb8cd0b23f823200155b2fd8848d428e46e8456328a", "logFiles": [ { "s3Bucket": "amzn-s3-demo-bucket", "s3Object": "AWSLogs/111122223333/CloudTrail/us-east-2/2015/08/17/111122223333_CloudTrail_us-east-2_20150817T1445Z_9nYN7gp2eWAJHIfT.json.gz", "hashValue": "9bb6196fc6b84d6f075a56548feca262bd99ba3c2de41b618e5b6e22c1fc71f6", "hashAlgorithm": "SHA-256", "newestEventTime": "2015-08-17T14:52:27Z", "oldestEventTime": "2015-08-17T14:42:27Z" } ] }
Digest file field descriptions
The following are descriptions for each field in the digest file:
awsAccountId
-
The AWS account ID for which the digest file has been delivered.
digestStartTime
-
The starting UTC time range that the digest file covers, taking as a reference the time in which log files have been delivered by CloudTrail. This means that if the time range is [Ta, Tb], the digest will contain all the log files delivered to the customer between Ta and Tb.
digestEndTime
-
The ending UTC time range that the digest file covers, taking as a reference the time in which log files have been delivered by CloudTrail. This means that if the time range is [Ta, Tb], the digest will contain all the log files delivered to the customer between Ta and Tb.
digestS3Bucket
-
The name of the Amazon S3 bucket to which the current digest file has been delivered.
digestS3Object
-
The Amazon S3 object key (that is, the Amazon S3 bucket location) of the current digest file. The first two Regions in the string show the Region from which the digest file was delivered. The last Region (after
your-trail-name
) is the home Region of the trail. The home Region is the Region in which the trail was created. In the case of a multi-Region trail, this can be different from the Region from which the digest file was delivered.
newestEventTime
-
The UTC time of the most recent event among all of the events in the log files in the digest.
oldestEventTime
-
The UTC time of the oldest event among all of the events in the log files in the digest.
Note
If the digest file is delivered late, the value of
oldestEventTime
will be earlier than the value ofdigestStartTime
.
previousDigestS3Bucket
-
The Amazon S3 bucket to which the previous digest file was delivered.
previousDigestS3Object
-
The Amazon S3 object key (that is, the Amazon S3 bucket location) of the previous digest file.
previousDigestHashValue
-
The hexadecimal encoded hash value of the uncompressed contents of the previous digest file.
previousDigestHashAlgorithm
-
The name of the hash algorithm that was used to hash the previous digest file.
publicKeyFingerprint
-
The hexadecimal encoded fingerprint of the public key that matches the private key used to sign this digest file. You can retrieve the public keys for the time range corresponding to the digest file by using the AWS CLI or the CloudTrail API. Of the public keys returned, the one whose fingerprint matches this value can be used for validating the digest file. For information about retrieving public keys for digest files, see the AWS CLI
list-public-keys
command or the CloudTrailListPublicKeys
API.Note
CloudTrail uses different private/public key pairs per Region. Each digest file is signed with a private key unique to its Region. Therefore, when you validate a digest file from a particular Region, you must look in the same Region for its corresponding public key.
digestSignatureAlgorithm
-
The algorithm used to sign the digest file.
logFiles.s3Bucket
-
The name of the Amazon S3 bucket for the log file.
logFiles.s3Object
-
The Amazon S3 object key of the current log file.
logFiles.newestEventTime
-
The UTC time of the most recent event in the log file. This time also corresponds to the time stamp of the log file itself.
logFiles.oldestEventTime
-
The UTC time of the oldest event in the log file.
logFiles.hashValue
-
The hexadecimal encoded hash value of the uncompressed log file content.
logFiles.hashAlgorithm
-
The hash algorithm used to hash the log file.
Starting digest file
When log file integrity validation is started, a starting digest file will be generated. A starting digest file will also be generated when log file integrity validation is restarted (by either disabling and then reenabling log file integrity validation, or by stopping logging and then restarting logging with validation enabled). In a starting digest file, the following fields relating to the previous digest file will be null:
-
previousDigestS3Bucket
-
previousDigestS3Object
-
previousDigestHashValue
-
previousDigestHashAlgorithm
-
previousDigestSignature
'Empty' digest files
CloudTrail will deliver a digest file even when there has been no API activity in your account during the one hour period that the digest file represents. This can be useful when you need to assert that no log files were delivered during the hour reported by the digest file.
The following example shows the contents of a digest file that recorded an hour when
no API activity occurred. Note that the logFiles:[ ]
field at the end of
the digest file contents is empty.
{ "awsAccountId": "111122223333", "digestStartTime": "2015-08-20T17:01:31Z", "digestEndTime": "2015-08-20T18:01:31Z", "digestS3Bucket": "amzn-s3-demo-bucket", "digestS3Object": "AWSLogs/111122223333/CloudTrail-Digest/us-east-2/2015/08/20/111122223333_CloudTrail-Digest_us-east-2_example-trail-name_us-east-2_20150820T180131Z.json.gz", "digestPublicKeyFingerprint": "31e8b5433410dfb61a9dc45cc65b22ff", "digestSignatureAlgorithm": "SHA256withRSA", "newestEventTime": null, "oldestEventTime": null, "previousDigestS3Bucket": "amzn-s3-demo-bucket", "previousDigestS3Object": "AWSLogs/111122223333/CloudTrail-Digest/us-east-2/2015/08/20/111122223333_CloudTrail-Digest_us-east-2_example-trail-name_us-east-2_20150820T170131Z.json.gz", "previousDigestHashValue": "ed96c4bac9eaa8fe9716ca0e515da51938be651b1db31d781956416a9d05cdfa", "previousDigestHashAlgorithm": "SHA-256", "previousDigestSignature": "82705525fb0fe7f919f9434e5b7138cb41793c776c7414f3520c0242902daa8cc8286b29263d2627f2f259471c745b1654af76e2073264b2510fd45236b3aea4d80c0e8e6455223d7bd54ff80af0edf22a5f14fa856626daec919f0591479aa4f213787ba1e1076328dcf8ff624e03a977fa5612dcf58594c590fd8c1c5b48bddf43fc84ecc00b41bedd0ff7f293c3e2de8dcdc78f98b03e17577f5822ba842399d69eb79921c0429773509520e08c8b518702d987dfbb3a4e5d8c5f17673ce1f989dfff82d4becf24e452f20d3bcac94ad50131f93e57f10155536acb54c60efbe9d57228c2b930bc6082b2318e3ccd36834a8e835b8d112dbf32145f445c11", "logFiles": [] }
Signature of the digest file
The signature information for a digest file is located in two object metadata properties of the Amazon S3 digest file object. Each digest file has the following metadata entries:
-
x-amz-meta-signature
The hexadecimal encoded value of the digest file signature. The following is an example signature:
3be472336fa2989ef34de1b3c1bf851f59eb030eaff3e2fb6600a082a23f4c6a82966565b994f9de4a5989d053d9d15d20fc5c43e66358652d93326550a4acc5c5f541bb52e9b455897ab723bd7cbabfe963a406a41d600f3658f7a3135e5ed9fcae7b79bb5857d1e5eb78fcce8595ce0ade2f3ad1d9f2d62be7bc4660d83166ce24586489b7da9ee9883eaf0b9efabb5dd3cbba565cc4aab5c9c46c9fa7e9cda310afcc5e8adcd9e48d0597ec5f8174a52c3bebb3e845eeb1d18904fbf4cc14cd117080098e10022ddf55e017a9431446acad8560de0ba1e477af9f8a3048bc6196350adad0cc0cb4ab99b5e7c9944437a3c674a038009220684ced7be07b4f 28f1cc237f372264a51b611c01da429565def703539f4e71009051769469231bc22232fa260df02740047af532229885ea2b0e95ecd353326b7104941e0cbddb076a391f1fcf2923c19565f4841770a78723451aeb732ff1b6162dc40e601fc6720bc5325987942ebd817783b322f0ac77698523bf742fdea7aa44f4911b3101221b7e1233387f16a52077610498f4a1254211258e37da0fb4cb207aef593b4c1baa13674e85acc52046b3adb889e63331a66abac5de7e42ffdd6952987c31ae871650e130bd2e63bfe145b22bbd39ea192210f6df64d49b888a321e02d3fc4cf126accae30d2857ccd6b2286a7c9feba6c35c44161b24147d645e6ca26844ba 05d3ffcb5d2dd5dc28f8bb5b7993938e8a5f912a82b448a367eccb2ec0f198ba71e23eb0b97278cf65f3c8d1e652c6de33a22ca8428821ffc95bf8b726ba9f37cfbc20c54dc5bd6159bdea1c4d951b68cb8e0528852c55bb0c5e499ea60560f7c2bb3af7f694407da863a2594f7a2f2838cb09254afbaf8003587746e719a0437f85eeffae534f283f3837eb939a9bccc3c71573500661245891051231b580ac92d9e0e68c6f47ad38975f493e2c40e7f303353c4adc7d563ef1e875977afac2e085f0c824045d998c9543d8a3293ad3c063b7a109d0bfd84b0b1e3f72c4f057e744e6a2cf9cc97727b08584f44bfa47799c5072b60f0b619aea88a17de585e9
-
x-amz-meta-signature-algorithm
The following shows an example value of the algorithm used to generate the digest signature:
SHA256withRSA
Digest file chaining
The fact that each digest file contains a reference to its previous digest file enables a "chaining" that permits validation tools like the AWS CLI to detect if a digest file has been deleted. It also allows the digest files in a specified time range to be successively inspected, starting with the most recent first.
Note
When you disable log file integrity validation, the chain of digest files is broken after one hour. CloudTrail will not create digest files for log files that were delivered during a period in which log file integrity validation was disabled. For example, if you enable log file integrity validation at noon on January 1, disable it at noon on January 2, and re-enable it at noon on January 10, digest files will not be created for the log files delivered from noon on January 2 to noon on January 10. The same applies whenever you stop CloudTrail logging or delete a trail.
If your trail's S3 bucket policy
is misconfigured or CloudTrail experiences an unexpected
service disruption, you might not receive all or some digest
files. To confirm if your trail has any digest delivery errors, run the
get-trail-status
command and check the
LatestDigestDeliveryError
parameter for errors. After the delivery
issue is resolved (for example, by fixing the bucket policy), CloudTrail will attempt to
redeliver any missing digest files. During the redelivery period, the digest files
might be delivered out of order, so the chain might temporarily appear to be
broken.
If logging is stopped or the trail is deleted, CloudTrail will deliver a final digest file.
This digest file can contain information for any remaining log files that cover events
up to and including the StopLogging
event.