CloudTrail log files not encrypted with KMS

Docs > Plateforme de sécurité Datadog > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > CloudTrail log files not encrypted with KMS

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Metadata

Id: 5d9e3164-9265-470c-9a10-57ae454ac0c7

Cloud Provider: AWS

Platform: Terraform

Severity: Low

Category: Encryption

Learn More

Provider Reference

Description

CloudTrail logs contain sensitive information about account activity and should be protected from unauthorized access. If the kms_key_id attribute is not specified in the aws_cloudtrail resource block, as shown below, then the logs stored in S3 are not encrypted with a customer-managed KMS key, leaving them vulnerable to exposure or tampering:

resource "aws_cloudtrail" "positive1" {
  name           = "npositive_1"
  s3_bucket_name = "bucketlog_1"
}

Using the kms_key_id attribute, as in the example below, ensures that the logs are protected with strong encryption, reducing the risk of unauthorized access and helping meet compliance requirements:

resource "aws_cloudtrail" "negative1" {
  name           = "negative1"
  s3_bucket_name = "bucketlog1"
  kms_key_id     = "arn:aws:kms:us-east-2:123456789012:key/12345678-1234-1234-1234-123456789012"
}

Compliant Code Examples

resource "aws_cloudtrail" "negative1" {
  name                          = "negative1"
  s3_bucket_name                = "bucketlog1"
  kms_key_id                    = "arn:aws:kms:us-east-2:123456789012:key/12345678-1234-1234-1234-123456789012"
}

Non-Compliant Code Examples

resource "aws_cloudtrail" "positive1" {
  name                          = "npositive_1"
  s3_bucket_name                = "bucketlog_1"
}