How to Find AWS CloudTrail logs are not Encrypted At Rest using KMS CMKs
By default, the log files delivered by CloudTrail to your bucket are encrypted by Amazon server-side encryption with Amazon S3-managed encryption keys (SSE-S3). To provide a security layer that is directly manageable, you can instead use server-side encryption with AWS KMS–managed keys (SSE-KMS) for your CloudTrail log files.
This security check is part of the CIS Amazon Web Services Benchmarks and is rated severity medium.
This guide assumes that you have already installed and configured Resoto to collect your AWS cloud resources.
Execute the following
searchcommand in Resoto Shell or Resoto UI:
> search is(aws_cloud_trail) and trail_kms_key_id==null
kind=aws_cloud_trail, ..., region=resoto-poweruser
kind=aws_cloud_trail, ..., account=poweruser-team
searchcommand into the
> search is(aws_cloud_trail) and trail_kms_key_id==null | dump
The command output will list the details of all non-compliant
Fix detected issues by following the remediation steps:
- Create and manage the CMK encryption keys.
- Use a single CMK to encrypt and decrypt log files for multiple accounts across all regions.
- Control who can use your key for encrypting and decrypting CloudTrail log files.
- Assign permissions for the key to the users.
Please refer to the AWS CloudTrail documentation for details.