Ensure CloudTrail logs are encrypted at rest using KMS CMKs
AWS CloudTrail is a web service that records AWS API calls for an account and makes those logs available to users and resources in accordance with IAM policies. AWS Key Management Service (KMS) is a managed service that helps create and control the encryption keys used to encrypt account data, and uses Hardware Security Modules (HSMs) to protect the security of encryption keys. CloudTrail logs can be configured to leverage server side encryption (SSE) and KMS customer created master keys (CMK) to further protect CloudTrail logs. It is recommended that CloudTrail be configured to use SSE-KMS.
Risk Level: High
Cloud Entity: CloudTrail
CloudGuard Rule ID: D9.CFT.LOG.01
Covered by Spectral: Yes
Category: Management Tools
GSL LOGIC
AWS_CloudTrail_Trail should have KMSKeyId
REMEDIATION
From CFT
Set AWS::CloudTrail::Trail KMSKeyId
property to be a valid KMS key ID
References
- https://docs.aws.amazon.com/awscloudtrail/latest/userguide/encrypting-cloudtrail-log-files-with-aws-kms.html
- https://docs.aws.amazon.com/kms/latest/developerguide/create-keys.html
CloudTrail
AWS CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS account. With CloudTrail, you can log, continuously monitor, and retain account activity related to actions across your AWS infrastructure. CloudTrail provides event history of your AWS account activity, including actions taken through the AWS Management Console, AWS SDKs, command line tools, and other AWS services. This event history simplifies security analysis, resource change tracking, and troubleshooting.
Compliance Frameworks
- AWS CloudFormation ruleset
Updated over 1 year ago