For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/cloudformation-aws-cloudtrail-log-files-not-encrypted-with-kms.md.
A documentation index is available at /llms.txt.
CloudTrail log files must be encrypted with an AWS KMS customer-managed key to protect the confidentiality and integrity of audit logs and enable key access control and rotation.
The CloudFormation resource type AWS::CloudTrail::Trail must define the KMSKeyId property with a non-empty value (AWS KMS key ARN, key ID, alias, or a reference to an AWS::KMS::Key). Resources missing KMSKeyId or with it set to null or an empty string will be flagged.
Create or reference a customer-managed AWS KMS key and assign it to KMSKeyId (using !Ref, !GetAtt, or an ARN) so CloudTrail delivers logs encrypted under that key.
Secure CloudFormation example:
MyKmsKey:Type:AWS::KMS::KeyProperties:Description:KMS key for CloudTrail log encryptionMyTrail:Type:AWS::CloudTrail::TrailProperties:IsLogging:trueS3BucketName:my-trail-bucketKMSKeyId:!Ref MyKmsKey
Compliant Code Examples
AWSTemplateFormatVersion:"2010-09-09"Parameters:OperatorEmail:Description:"Email address to notify when new logs are published."Type:StringResources:S3Bucket:DeletionPolicy:RetainType:AWS::S3::BucketProperties:{}BucketPolicy:Type:AWS::S3::BucketPolicyProperties:Bucket:Ref:S3BucketPolicyDocument:Version:"2012-10-17"Statement:- Sid:"AWSCloudTrailAclCheck"Effect:"Allow"Principal:Service:"cloudtrail.amazonaws.com"Action:"s3:GetBucketAcl"Resource:!Sub |-arn:aws:s3:::${S3Bucket}- Sid:"AWSCloudTrailWrite"Effect:"Allow"Principal:Service:"cloudtrail.amazonaws.com"Action:"s3:PutObject"Resource:!Sub |-arn:aws:s3:::${S3Bucket}/AWSLogs/${AWS::AccountId}/*Condition:StringEquals:s3:x-amz-acl:"bucket-owner-full-control"Topic:Type:AWS::SNS::TopicProperties:Subscription:- Endpoint:Ref:OperatorEmailProtocol:emailTopicPolicy:Type:AWS::SNS::TopicPolicyProperties:Topics:- Ref:"Topic"PolicyDocument:Version:"2008-10-17"Statement:- Sid:"AWSCloudTrailSNSPolicy"Effect:"Allow"Principal:Service:"cloudtrail.amazonaws.com"Resource:"*"Action:"SNS:Publish"myTrail:DependsOn:- BucketPolicy- TopicPolicyType:AWS::CloudTrail::TrailProperties:KMSKeyId:arn:aws:kms:us-east-2:123456789012:key/12345678-1234-1234-1234-123456789012S3BucketName:Ref:S3BucketSnsTopicName:Fn::GetAtt:- Topic- TopicNameIsLogging:trueIsMultiRegionTrail:true
{"AWSTemplateFormatVersion":"2010-09-09","Parameters":{"OperatorEmail":{"Description":"Email address to notify when new logs are published.","Type":"String"}},"Resources":{"TopicPolicy":{"Properties":{"Topics":[{"Ref":"Topic"}],"PolicyDocument":{"Version":"2008-10-17","Statement":[{"Sid":"AWSCloudTrailSNSPolicy","Effect":"Allow","Principal":{"Service":"cloudtrail.amazonaws.com"},"Resource":"*","Action":"SNS:Publish"}]}},"Type":"AWS::SNS::TopicPolicy"},"myTrail":{"DependsOn":["BucketPolicy","TopicPolicy"],"Type":"AWS::CloudTrail::Trail","Properties":{"KMSKeyId":"arn:aws:kms:us-east-2:123456789012:key/12345678-1234-1234-1234-123456789012","S3BucketName":{"Ref":"S3Bucket"},"SnsTopicName":{"Fn::GetAtt":["Topic","TopicName"]},"IsLogging":true,"IsMultiRegionTrail":true}},"S3Bucket":{"DeletionPolicy":"Retain","Type":"AWS::S3::Bucket","Properties":{}},"BucketPolicy":{"Type":"AWS::S3::BucketPolicy","Properties":{"Bucket":{"Ref":"S3Bucket"},"PolicyDocument":{"Version":"2012-10-17","Statement":[{"Sid":"AWSCloudTrailAclCheck","Effect":"Allow","Principal":{"Service":"cloudtrail.amazonaws.com"},"Action":"s3:GetBucketAcl","Resource":"arn:aws:s3:::${S3Bucket}"},{"Action":"s3:PutObject","Resource":"arn:aws:s3:::${S3Bucket}/AWSLogs/${AWS::AccountId}/*","Condition":{"StringEquals":{"s3:x-amz-acl":"bucket-owner-full-control"}},"Sid":"AWSCloudTrailWrite","Effect":"Allow","Principal":{"Service":"cloudtrail.amazonaws.com"}}]}}},"Topic":{"Type":"AWS::SNS::Topic","Properties":{"Subscription":[{"Endpoint":{"Ref":"OperatorEmail"},"Protocol":"email"}]}}}}
Non-Compliant Code Examples
AWSTemplateFormatVersion:"2010-09-09"Parameters:OperatorEmail:Description:"Email address to notify when new logs are published."Type:StringResources:S3Bucket:DeletionPolicy:RetainType:AWS::S3::BucketProperties:{}BucketPolicy:Type:AWS::S3::BucketPolicyProperties:Bucket:Ref:S3BucketPolicyDocument:Version:"2012-10-17"Statement:- Sid:"AWSCloudTrailAclCheck"Effect:"Allow"Principal:Service:"cloudtrail.amazonaws.com"Action:"s3:GetBucketAcl"Resource:!Sub |-arn:aws:s3:::${S3Bucket}- Sid:"AWSCloudTrailWrite"Effect:"Allow"Principal:Service:"cloudtrail.amazonaws.com"Action:"s3:PutObject"Resource:!Sub |-arn:aws:s3:::${S3Bucket}/AWSLogs/${AWS::AccountId}/*Condition:StringEquals:s3:x-amz-acl:"bucket-owner-full-control"Topic:Type:AWS::SNS::TopicProperties:Subscription:- Endpoint:Ref:OperatorEmailProtocol:emailTopicPolicy:Type:AWS::SNS::TopicPolicyProperties:Topics:- Ref:"Topic"PolicyDocument:Version:"2008-10-17"Statement:- Sid:"AWSCloudTrailSNSPolicy"Effect:"Allow"Principal:Service:"cloudtrail.amazonaws.com"Resource:"*"Action:"SNS:Publish"myTrail:DependsOn:- BucketPolicy- TopicPolicyType:AWS::CloudTrail::TrailProperties:S3BucketName:Ref:S3BucketSnsTopicName:Fn::GetAtt:- Topic- TopicNameIsLogging:trueIsMultiRegionTrail:true
{"AWSTemplateFormatVersion":"2010-09-09","Parameters":{"OperatorEmail":{"Description":"Email address to notify when new logs are published.","Type":"String"}},"Resources":{"Topic":{"Type":"AWS::SNS::Topic","Properties":{"Subscription":[{"Endpoint":{"Ref":"OperatorEmail"},"Protocol":"email"}]}},"TopicPolicy":{"Type":"AWS::SNS::TopicPolicy","Properties":{"Topics":[{"Ref":"Topic"}],"PolicyDocument":{"Version":"2008-10-17","Statement":[{"Sid":"AWSCloudTrailSNSPolicy","Effect":"Allow","Principal":{"Service":"cloudtrail.amazonaws.com"},"Resource":"*","Action":"SNS:Publish"}]}}},"myTrail":{"DependsOn":["BucketPolicy","TopicPolicy"],"Type":"AWS::CloudTrail::Trail","Properties":{"S3BucketName":{"Ref":"S3Bucket"},"SnsTopicName":{"Fn::GetAtt":["Topic","TopicName"]},"IsLogging":true,"IsMultiRegionTrail":true}},"S3Bucket":{"DeletionPolicy":"Retain","Type":"AWS::S3::Bucket","Properties":{}},"BucketPolicy":{"Type":"AWS::S3::BucketPolicy","Properties":{"Bucket":{"Ref":"S3Bucket"},"PolicyDocument":{"Version":"2012-10-17","Statement":[{"Sid":"AWSCloudTrailAclCheck","Effect":"Allow","Principal":{"Service":"cloudtrail.amazonaws.com"},"Action":"s3:GetBucketAcl","Resource":"arn:aws:s3:::${S3Bucket}"},{"Sid":"AWSCloudTrailWrite","Effect":"Allow","Principal":{"Service":"cloudtrail.amazonaws.com"},"Action":"s3:PutObject","Resource":"arn:aws:s3:::${S3Bucket}/AWSLogs/${AWS::AccountId}/*","Condition":{"StringEquals":{"s3:x-amz-acl":"bucket-owner-full-control"}}}]}}}}}
