You have created a trail in AWS CloudTrail to record API activities in your AWS account. The trail logs have been delivered to an S3 bucket with the log file validation setting enabled. The security team needs to analyze the trail logs from the previous day and asks you to validate the trail log file integrity. Which of the following methods is the easiest?

Answer options:

A.Implement a custom mechanism to retrieve the public key from the CloudTrail Digest files and validate the Digest files with the key.
B.In the AWS CloudTrail console, select the trail and view if there are any integrity warnings.
C.In the AWS S3 console, check if CloudTrail Digest files are properly generated in the S3 bucket.
D.Use AWS CLI “aws cloudtrail validate-logs” to validate the log files.

Correct Answer: D
Option A is incorrect because the option does not mention other steps, such as validating the trail log files. You have to make efforts on the custom implementations. This method is not the easiest one.
Option B is incorrect because the CloudTrail console does not generate integrity warnings.
Option C is incorrect because this option does not validate the integrity of either Digest files or trail log files.
Option D is CORRECT because AWS CLI “aws cloudtrail validate-logs” can easily validate log files in a specified time range. This option is the most suitable in this scenario.
References:
https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-log-file-validation-enabling.html
https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-log-file-validation-cli.html