-
Hi Nick,
Thank you for the feedback. You raised a valid point, and we appreciate the attention to detail.
You are correct that log file integrity validation does not prevent unauthorized modifications. Per AWS documentation, it uses SHA-256 hashing and RSA digital signing to generate hourly digest files, which allow you to verify whether log files were modified or deleted after CloudTrail delivered them. This is tamper detection, not tamper prevention.
Tamper prevention in this architecture is enforced by two controls:
• The central S3 bucket in the dedicated logging account has a bucket policy that restricts member accounts from modifying or deleting log objects.
• Member accounts cannot modify or delete the organization trail. Only the management account or a delegated administrator account can do so.
Log file integrity validation serves as an additional layer, providing cryptographic proof that logs were not altered after delivery, which is a standard requirement for compliance and SIEM ingestion.
We have updated the explanation to clearly distinguish tamper detection from tamper prevention to avoid any confusion for future learners.
We have also noted your suggestion on adding a per-question feedback option and passed it along to our team.
Best regards,
Irene @ Tutorials Dojo Support
