CloudTrail logs are not encrypted
Incident Management is now generally available! Incident Management is now generally available!
<  Back to rules search

CloudTrail logs are not encrypted

cloudtrail

Classification:

compliance

Set up the cloudtrail integration.

Overview

Description

Ensure that AWS CloudTrail logs are encrypted.

Rationale

Encrypting AWS CloudTrail logs with a KMS encryption key helps protect your data and ensures only certain IAM users can access these logs.

Remediation

Console

Follow the Enabling Log File Encryption docs to enable SSE-KMS encryption for CloudTrail log files.

CLI

  1. Create a new policy configuration file that enables CloudTrail encrypting and decrypting permissions.

  2. Run create-key using the policy file path.

    create-key.sh

        aws kms create-key
        --policy new-policy-file.json

  3. Run create-alias with a newly created alias name and the target-key-id as the KMS key returned in step 2.

    create-alias.sh

        aws kms create-alias
        --alias-name alias/CloudTrailKSM
        --target-key-id 12345678-abcd-1a2b-1234-012345678901

  4. Run update-trail on the trail name you wish to update and the KMS key returned in step 2.

    update-trail.sh

        aws cloudtrail update-trail
        --name MyGlobalTrail
        --kms-key-id 12345678-abcd-1a2b-1234-012345678901