AWS CloudTrail Logs Are Not Encrypted Using Customer Master Keys (CMKs)

Checks to ensure that CloudTrail logs are encrypted. AWS CloudTrail is a service that enables governance, compliance, operational & risk auditing of the AWS account. It is a compliance and security best practice to encrypt the CloudTrail data since it may contain sensitive information.

Policy Details

Policy Subtype
Run, Build
Severity
Medium
Template Type
Terraform, CloudFormation

Build Rules

AWS CloudTrail logs are not encrypted using Customer Master Keys (CMKs).
JSON Queries:
CloudFormation
$.Resources.*[?(@.Type == 'AWS::CloudTrail::Trail')] size > 0 and ($.Resources.*[?( @.Type == 'AWS::CloudTrail::Trail' )].Properties.KMSKeyId anyNull or $.Resources.*[?( @.Type == 'AWS::CloudTrail::Trail' )].Properties.KMSKeyId anyEmpty )
Terraform
$.resource[*].aws_cloudtrail exists and ($.resource[*].aws_cloudtrail[*].*[*].kms_key_id anyNull or $.resource[*].aws_cloudtrail[*].*[*].kms_key_id anyEmpty)
Recommendations:
  • CloudFormation
    Recommended solution for encrypting AWS CloudTrail logs using Customer Master Keys.
    It is recommended that CloudTrail logs are encrypted using Customer Master Keys. Please make sure your template has "KMSKeyId" provided under "AWS::CloudTrail" resource.
    For example:
    "CloudWatchLogsLogGroupArn":"fooarn","KMSKeyId":"fookey","TrailName":"foo"
  • Terraform
    Recommended solution for making sure AWS Cloudtrail logs are encrypted using Customer Master Keys.
    It is recommended to encrypt the CloudTrail data since it may contain sensitive information. To do so, please make sure "enable_key_rotation" atrribute under and it is not null.
    For example:
    { "aws_cloudtrail": [ { "<s3 cloudtrail logfile name>": [ { "include_global_service_events": false, "name": "tf-trail-bar", "s3_bucket_name": "${aws_s3_bucket.foo.id}", "s3_key_prefix": "prefix", "kms_key_id": "y" } ] } ] }

Run Rule Recommendation

  1. Login to AWS Console and navigate to the 'CloudTrail' service.
  2. For each trail, under Configuration > Storage Location, select 'Yes' to 'Encrypt log files' setting.
  3. Choose and existing KMS key or create a new one to encrypt the logs with.

Compliance

There are 9 standards that are applicable to this policy:
  • CIS v1.2.0 (AWS)
  • NIST CSF
  • ISO 27001:2013
  • NIST 800-171 Rev1
  • GDPR
  • NIST 800-53 Rev4
  • SOC 2
  • CSA CCM v3.0.1
  • HITRUST CSF v9.3

Recommended For You