Ensure CloudTrail logs are encrypted at rest using KMS CMKs

ID

cloudtrail_logs_encrypted_cmk

Severity

high

Vendor

AWS

Resource

CloudTrail

Tags

reachable

Description

AWS CloudTrail is an AWS service that helps you enable operational and risk auditing, governance, and compliance of your AWS account. Actions taken by a user, role, or an AWS service are recorded as events in CloudTrail. Events include actions taken in the AWS Management Console, AWS Command Line Interface, and AWS SDKs and APIs.

By default, the log files delivered by CloudTrail to your bucket are encrypted by Amazon server-side encryption with Amazon S3-managed encryption keys (SSE-S3). To provide an additional security layer, and directly manageable, you can instead use server-side encryption with AWS KMS keys (SSE-KMS) for your CloudTrail log files.

Learn more about this topic at Encrypting CloudTrail log files with AWS KMS keys (SSE-KMS).

Examples

CloudFormation

{
  "Resources": {
    "myTrail": { (1)
      "Type": "AWS::CloudTrail::Trail"
    }
  }
}
1 Missing KMSKeyId property means encryption is done with Amazon managed encryption keys. 
Resources:
  myTrail: (1)
    Type: AWS::CloudTrail::Trail
1 Missing KMSKeyId property means encryption is done with Amazon managed encryption keys.

Mitigation / Fix

Buildtime

CloudFormation

{
  "Resources": {
    "myTrail": {
      "Type": "AWS::CloudTrail::Trail",
      "Properties": {
        "KMSKeyId": { (1)
          "Ref": "CloudtrailKMSKeyAlias"
        }
      }
    }
  }
}
1 KMSKeyId set to be used as encryption key. 
Resources:
  myTrail:
    Type: AWS::CloudTrail::Trail
    Properties:
      KMSKeyId: alias/MyAliasName (1)
1 KMSKeyId set to be used as encryption key.

Runtime

AWS Console

To configure CloudTrail to use SSE-KMS go to the Amazon CloudTrail Console:

  • In the navigation pane, choose Trails.

  • Select a specific Trail.

  • Navigate to the S3 section and enable edition mode by clicking in the edit button.

  • Click Advanced.

  • Choose a CMK from the KMS key Id drop-down.

  • For CloudTrail as a service to encrypt and decrypt log files using the CMK provided, apply a KMS Key policy on the selected CMK.

  • Click Save.

  • A notification message stating that you need to have decrypt permissions on the specified KMS key to decrypt log files should be received. Click Yes.

CLI Command

aws cloudtrail update-trail --name <trail-name> --kms-id <cloudtrail-kms-key> aws kms put-key-policy --key-id <cloudtrail-kms-key> --policy <cloudtrail-kms_key-policy>