How to Find AWS CloudTrail logs are not Encrypted At Rest using KMS CMKs

Problem

By default, the log files delivered by CloudTrail to your bucket are encrypted by Amazon server-side encryption with Amazon S3-managed encryption keys (SSE-S3). To provide a security layer that is directly manageable, you can instead use server-side encryption with AWS KMS–managed keys (SSE-KMS) for your CloudTrail log files.

info

This security check is part of the CIS Amazon Web Services Benchmarks and is rated severity medium.

Prerequisites

This guide assumes that you have already installed and configured Resoto to collect your AWS cloud resources.

Directions

1. Execute the following search command in Resoto Shell or Resoto UI:

   > search is(aws_cloud_trail) and trail_kms_key_id==null
   ​kind=aws_cloud_trail, ..., region=resoto-poweruser
   ​kind=aws_cloud_trail, ..., account=poweruser-team

2. Pipe the search command into the dump command:

   > search is(aws_cloud_trail) and trail_kms_key_id==null | dump
   ​reported:
   ​  id: /aws/cloudtrail/123
   ​  name: some-name
   ​  ctime: '2022-12-05T22:53:14Z'
   ​  kind: aws_cloud_trail
   ​  age: 2mo28d

   The command output will list the details of all non-compliant aws_cloud_trail resources.

3. Fix detected issues by following the remediation steps:

   • Create and manage the CMK encryption keys.
   • Use a single CMK to encrypt and decrypt log files for multiple accounts across all regions.
   • Control who can use your key for encrypting and decrypting CloudTrail log files.
   • Assign permissions for the key to the users.
   note

   Please refer to the AWS CloudTrail documentation for details.

Further Reading

• Search
• Command-Line Interface
• aws_cloud_trail Resource Data Model

External Links

• CIS Amazon Web Services Benchmarks cisecurity.org
• AWS Documentation docs.aws.amazon.com