CloudTrail log files not encrypted with KMS
This product is not supported for your selected
Datadog site. (
).
Id: 050a9ba8-d1cb-4c61-a5e8-8805a70d3b85
Cloud Provider: AWS
Platform: CloudFormation
Severity: Low
Category: Encryption
Learn More
Description
CloudTrail log files must be encrypted with an AWS KMS customer-managed key to protect the confidentiality and integrity of audit logs and enable key access control and rotation.
The CloudFormation resource type AWS::CloudTrail::Trail must define the KMSKeyId property with a non-empty value (AWS KMS key ARN, key ID, alias, or a reference to an AWS::KMS::Key). Resources missing KMSKeyId or with it set to null or an empty string will be flagged.
Create or reference a customer-managed AWS KMS key and assign it to KMSKeyId (using !Ref, !GetAtt, or an ARN) so CloudTrail delivers logs encrypted under that key.
Secure CloudFormation example:
MyKmsKey:
Type: AWS::KMS::Key
Properties:
Description: KMS key for CloudTrail log encryption
MyTrail:
Type: AWS::CloudTrail::Trail
Properties:
IsLogging: true
S3BucketName: my-trail-bucket
KMSKeyId: !Ref MyKmsKey
Compliant Code Examples
AWSTemplateFormatVersion: "2010-09-09"
Parameters:
OperatorEmail:
Description: "Email address to notify when new logs are published."
Type: String
Resources:
S3Bucket:
DeletionPolicy: Retain
Type: AWS::S3::Bucket
Properties: {}
BucketPolicy:
Type: AWS::S3::BucketPolicy
Properties:
Bucket:
Ref: S3Bucket
PolicyDocument:
Version: "2012-10-17"
Statement:
- Sid: "AWSCloudTrailAclCheck"
Effect: "Allow"
Principal:
Service: "cloudtrail.amazonaws.com"
Action: "s3:GetBucketAcl"
Resource: !Sub |-
arn:aws:s3:::${S3Bucket}
- Sid: "AWSCloudTrailWrite"
Effect: "Allow"
Principal:
Service: "cloudtrail.amazonaws.com"
Action: "s3:PutObject"
Resource: !Sub |-
arn:aws:s3:::${S3Bucket}/AWSLogs/${AWS::AccountId}/*
Condition:
StringEquals:
s3:x-amz-acl: "bucket-owner-full-control"
Topic:
Type: AWS::SNS::Topic
Properties:
Subscription:
- Endpoint:
Ref: OperatorEmail
Protocol: email
TopicPolicy:
Type: AWS::SNS::TopicPolicy
Properties:
Topics:
- Ref: "Topic"
PolicyDocument:
Version: "2008-10-17"
Statement:
- Sid: "AWSCloudTrailSNSPolicy"
Effect: "Allow"
Principal:
Service: "cloudtrail.amazonaws.com"
Resource: "*"
Action: "SNS:Publish"
myTrail:
DependsOn:
- BucketPolicy
- TopicPolicy
Type: AWS::CloudTrail::Trail
Properties:
KMSKeyId: arn:aws:kms:us-east-2:123456789012:key/12345678-1234-1234-1234-123456789012
S3BucketName:
Ref: S3Bucket
SnsTopicName:
Fn::GetAtt:
- Topic
- TopicName
IsLogging: true
IsMultiRegionTrail: true
{
"AWSTemplateFormatVersion": "2010-09-09",
"Parameters": {
"OperatorEmail": {
"Description": "Email address to notify when new logs are published.",
"Type": "String"
}
},
"Resources": {
"TopicPolicy": {
"Properties": {
"Topics": [
{
"Ref": "Topic"
}
],
"PolicyDocument": {
"Version": "2008-10-17",
"Statement": [
{
"Sid": "AWSCloudTrailSNSPolicy",
"Effect": "Allow",
"Principal": {
"Service": "cloudtrail.amazonaws.com"
},
"Resource": "*",
"Action": "SNS:Publish"
}
]
}
},
"Type": "AWS::SNS::TopicPolicy"
},
"myTrail": {
"DependsOn": [
"BucketPolicy",
"TopicPolicy"
],
"Type": "AWS::CloudTrail::Trail",
"Properties": {
"KMSKeyId": "arn:aws:kms:us-east-2:123456789012:key/12345678-1234-1234-1234-123456789012",
"S3BucketName": {
"Ref": "S3Bucket"
},
"SnsTopicName": {
"Fn::GetAtt": [
"Topic",
"TopicName"
]
},
"IsLogging": true,
"IsMultiRegionTrail": true
}
},
"S3Bucket": {
"DeletionPolicy": "Retain",
"Type": "AWS::S3::Bucket",
"Properties": {}
},
"BucketPolicy": {
"Type": "AWS::S3::BucketPolicy",
"Properties": {
"Bucket": {
"Ref": "S3Bucket"
},
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AWSCloudTrailAclCheck",
"Effect": "Allow",
"Principal": {
"Service": "cloudtrail.amazonaws.com"
},
"Action": "s3:GetBucketAcl",
"Resource": "arn:aws:s3:::${S3Bucket}"
},
{
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::${S3Bucket}/AWSLogs/${AWS::AccountId}/*",
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control"
}
},
"Sid": "AWSCloudTrailWrite",
"Effect": "Allow",
"Principal": {
"Service": "cloudtrail.amazonaws.com"
}
}
]
}
}
},
"Topic": {
"Type": "AWS::SNS::Topic",
"Properties": {
"Subscription": [
{
"Endpoint": {
"Ref": "OperatorEmail"
},
"Protocol": "email"
}
]
}
}
}
}
Non-Compliant Code Examples
{
"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"myTrail": {
"Type": "AWS::CloudTrail::Trail",
"Properties": {
"SnsTopicName": "",
"IsLogging": false,
"IsMultiRegionTrail": false,
"KMSKeyId": "",
"EnableLogFileValidation": false
}
}
}
}
{
"AWSTemplateFormatVersion": "2010-09-09",
"Parameters": {
"OperatorEmail": {
"Description": "Email address to notify when new logs are published.",
"Type": "String"
}
},
"Resources": {
"Topic": {
"Type": "AWS::SNS::Topic",
"Properties": {
"Subscription": [
{
"Endpoint": {
"Ref": "OperatorEmail"
},
"Protocol": "email"
}
]
}
},
"TopicPolicy": {
"Type": "AWS::SNS::TopicPolicy",
"Properties": {
"Topics": [
{
"Ref": "Topic"
}
],
"PolicyDocument": {
"Version": "2008-10-17",
"Statement": [
{
"Sid": "AWSCloudTrailSNSPolicy",
"Effect": "Allow",
"Principal": {
"Service": "cloudtrail.amazonaws.com"
},
"Resource": "*",
"Action": "SNS:Publish"
}
]
}
}
},
"myTrail": {
"DependsOn": [
"BucketPolicy",
"TopicPolicy"
],
"Type": "AWS::CloudTrail::Trail",
"Properties": {
"S3BucketName": {
"Ref": "S3Bucket"
},
"SnsTopicName": {
"Fn::GetAtt": [
"Topic",
"TopicName"
]
},
"IsLogging": true,
"IsMultiRegionTrail": true
}
},
"S3Bucket": {
"DeletionPolicy": "Retain",
"Type": "AWS::S3::Bucket",
"Properties": {}
},
"BucketPolicy": {
"Type": "AWS::S3::BucketPolicy",
"Properties": {
"Bucket": {
"Ref": "S3Bucket"
},
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AWSCloudTrailAclCheck",
"Effect": "Allow",
"Principal": {
"Service": "cloudtrail.amazonaws.com"
},
"Action": "s3:GetBucketAcl",
"Resource": "arn:aws:s3:::${S3Bucket}"
},
{
"Sid": "AWSCloudTrailWrite",
"Effect": "Allow",
"Principal": {
"Service": "cloudtrail.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::${S3Bucket}/AWSLogs/${AWS::AccountId}/*",
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control"
}
}
}
]
}
}
}
}
}
AWSTemplateFormatVersion: "2010-09-09"
Parameters:
OperatorEmail:
Description: "Email address to notify when new logs are published."
Type: String
Resources:
S3Bucket:
DeletionPolicy: Retain
Type: AWS::S3::Bucket
Properties: {}
BucketPolicy:
Type: AWS::S3::BucketPolicy
Properties:
Bucket:
Ref: S3Bucket
PolicyDocument:
Version: "2012-10-17"
Statement:
- Sid: "AWSCloudTrailAclCheck"
Effect: "Allow"
Principal:
Service: "cloudtrail.amazonaws.com"
Action: "s3:GetBucketAcl"
Resource: !Sub |-
arn:aws:s3:::${S3Bucket}
- Sid: "AWSCloudTrailWrite"
Effect: "Allow"
Principal:
Service: "cloudtrail.amazonaws.com"
Action: "s3:PutObject"
Resource: !Sub |-
arn:aws:s3:::${S3Bucket}/AWSLogs/${AWS::AccountId}/*
Condition:
StringEquals:
s3:x-amz-acl: "bucket-owner-full-control"
Topic:
Type: AWS::SNS::Topic
Properties:
Subscription:
- Endpoint:
Ref: OperatorEmail
Protocol: email
TopicPolicy:
Type: AWS::SNS::TopicPolicy
Properties:
Topics:
- Ref: "Topic"
PolicyDocument:
Version: "2008-10-17"
Statement:
- Sid: "AWSCloudTrailSNSPolicy"
Effect: "Allow"
Principal:
Service: "cloudtrail.amazonaws.com"
Resource: "*"
Action: "SNS:Publish"
myTrail:
DependsOn:
- BucketPolicy
- TopicPolicy
Type: AWS::CloudTrail::Trail
Properties:
S3BucketName:
Ref: S3Bucket
SnsTopicName:
Fn::GetAtt:
- Topic
- TopicName
IsLogging: true
IsMultiRegionTrail: true
