How to Find AWS CloudTrail Trails Not Encrypted with KMS Keys
By default, the log files delivered by CloudTrail to your bucket are encrypted by Amazon server-side encryption with Amazon S3-managed encryption keys (SSE-S3). To provide a security layer that is directly manageable, you can instead use server-side encryption with AWS KMS–managed keys (SSE-KMS) for your CloudTrail log files.
This security check is part of the CIS Amazon Web Services Benchmarks and is rated severity medium.
This guide assumes that you have already installed and configured Resoto to collect your AWS resources.
Execute the following
searchcommand in Resoto Shell or Resoto UI:
> search is(aws_cloud_trail) and trail_kms_key_id==null
kind=aws_cloud_trail, ..., region=resoto-poweruser
kind=aws_cloud_trail, ..., account=poweruser-team
searchcommand into the
> search is(aws_cloud_trail) and trail_kms_key_id==null | dump
The command output will list the details of all non-compliant
- Create and manage the CMK encryption keys.
- Use a single CMK to encrypt and decrypt log files for multiple accounts across all regions.
- Control who can use your key for encrypting and decrypting CloudTrail log files.
- Assign permissions for the key to the users.
Please refer to the AWS CloudTrail documentation for details.