How to Find AWS CloudTrail Trails Not Encrypted with KMS Keys
By default, the log files delivered by CloudTrail to your bucket are encrypted by Amazon server-side encryption with Amazon S3-managed encryption keys (SSE-S3). To provide a security layer that is directly manageable, you can instead use server-side encryption with AWS KMS–managed keys (SSE-KMS) for your CloudTrail log files.
This security check is part of the CIS Amazon Web Services Benchmarks and is rated severity medium.
> search is(aws_cloud_trail) and trail_kms_key_id==null
kind=aws_cloud_trail, ..., region=resoto-poweruser
kind=aws_cloud_trail, ..., account=poweruser-team
searchcommand into the
> search is(aws_cloud_trail) and trail_kms_key_id==null | dump
The command output will list the details of all non-compliant
- Create and manage the CMK encryption keys.
- Use a single CMK to encrypt and decrypt log files for multiple accounts across all regions.
- Control who can use your key for encrypting and decrypting CloudTrail log files.
- Assign permissions for the key to the users.
Please refer to the AWS CloudTrail documentation for details.