If your log files are delivered from all regions or from multiple accounts into a single Amazon S3 bucket, Cloud Trail will deliver the digest files from those regions and accounts into the same bucket.The digest files are put into a folder separate from the log files.
After delivery, you can use the public key to validate the digest file.
Cloud Trail uses different key pairs for each AWS region.
The digest files are delivered to the same Amazon S3 bucket associated with your trail as your Cloud Trail log files.
Validated log files are invaluable in security and forensic investigations.
For example, a validated log file enables you to assert positively that the log file itself has not changed, or that particular user credentials performed specific API activity.
The Cloud Trail log file integrity validation process also lets you know if a log file has been deleted or changed, or assert positively that no log files were delivered to your account during a given period of time.
When you enable log file integrity validation, Cloud Trail creates a hash for every log file that it delivers.
To determine whether a log file was modified, deleted, or unchanged after Cloud Trail delivered it, you can use Cloud Trail log file integrity validation.
This feature is built using industry standard algorithms: SHA-256 for hashing and SHA-256 with RSA for digital signing.
This makes it computationally infeasible to modify, delete or forge Cloud Trail log files without detection.
You can use the AWS CLI to validate the files in the location where Cloud Trail delivered them.