How to Find AWS CloudTrail Trails Not Encrypted with KMS Keys

By default, the log files delivered by CloudTrail to your bucket are encrypted by Amazon server-side encryption with Amazon S3-managed encryption keys (SSE-S3). To provide a security layer that is directly manageable, you can instead use server-side encryption with AWS KMS–managed keys (SSE-KMS) for your CloudTrail log files.

info

This security check is part of the CIS Amazon Web Services Benchmarks and is rated severity medium.

Prerequisites

This guide assumes that you have already installed and configured Fix Inventory to collect your AWS resources.

Directions

1. Execute the following search command in Fix Inventory Shell:

   > search is(aws_cloud_trail) and trail_kms_key_id==null
   ​kind=aws_cloud_trail, ..., region=fixinventory-poweruser
   ​kind=aws_cloud_trail, ..., account=poweruser-team

2. Pipe the search command into the dump command:

   > search is(aws_cloud_trail) and trail_kms_key_id==null | dump
   ​reported:
   ​  id: /aws/cloudtrail/123
   ​  name: some-name
   ​  ctime: '2022-12-05T22:53:14Z'
   ​  kind: aws_cloud_trail
   ​  age: 2mo28d

   The command output will list the details of all non-compliant aws_cloud_trail resources.

Remediation

• Create and manage the CMK encryption keys.
• Use a single CMK to encrypt and decrypt log files for multiple accounts across all regions.
• Control who can use your key for encrypting and decrypting CloudTrail log files.
• Assign permissions for the key to the users.

note

Please refer to the AWS CloudTrail documentation for details.

Further Reading

• Search
• Command-Line Interface
• aws_cloud_trail Resource Data Model

External Links

• CIS Amazon Web Services Benchmarks
• AWS Documentation