🛡️ AWS CloudTrail is not encrypted with KMS CMK🟢

Contextual name: 🛡️ CloudTrail is not encrypted with KMS CMK🟢
ID: /ce/ca/aws/cloudtrail/encryption-with-kms-cmk
Tags:
- 🟢 Policy with categories
- 🟢 Policy with type
- 🟢 Production policy
Policy Type: COMPLIANCE_POLICY
Policy Categories: SECURITY

Logic

🧠 prod.logic.yaml🟢
- 📗 AWS CloudTrail Trail
- 🔌 AWS KMS Key - object.extracts.yaml
- 🔌 AWS CloudTrail Trail - object.extracts.yaml
- 🧪 test-data.json

Similar Policies

Cloud Conformity: CloudTrail Logs Encrypted
Internal: dec-x-d896d172

Similar Internal Rules

Rule	Policies	Flags
✉️ dec-x-d896d172	1

Description

Open File

Description

AWS CloudTrail is a web service that records AWS API calls for an account and makes those logs available to users and resources in accordance with IAM policies. AWS Key Management Service (KMS) is a managed service that helps create and control the encryption keys used to encrypt account data, and uses Hardware Security Modules (HSMs) to protect the security of encryption keys. CloudTrail logs can be configured to leverage server side encryption (SSE) and KMS customer created master keys (CMK) to further protect CloudTrail logs. It is recommended that CloudTrail be configured to use SSE-KMS.

Rationale

Configuring CloudTrail to use SSE-KMS provides additional confidentiality controls on log data as a given user must have S3 read permission on the corresponding log bucket and must be granted decrypt permission by the CMK policy.

Impact

Customer created keys incur an additional cost. See https://aws.amazon.com/kms/pricing/ for more information.

Audit

Perform the following to determine if CloudTrail is configured to use SSE-KMS:

... see more

Remediation

Open File

Remediation

Perform the following to configure CloudTrail to use SSE-KMS:

From Console

Sign in to the AWS Management Console and open the CloudTrail console at https://console.aws.amazon.com/cloudtrail.

In the left navigation pane, choose Trails.

Click on a Trail.

Under the S3 section click on the edit button (pencil icon).

Click Advanced.

Select an existing CMK from the KMS key Id drop-down menu.

Note: Ensure the CMK is located in the same region as the S3 bucket.

Note: You will need to apply a KMS Key policy on the selected CMK in order for CloudTrail as a service to encrypt and decrypt log files using the CMK provided. Steps are provided here for editing the selected CMK Key policy.

Click Save.

You will see a notification message stating that you need to have decrypt permissions on the specified KMS key to decrypt log files.

Click Yes.

From Command Line

Run the following command to specify a KMS key ID to use with a trail:

... see more

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Compliance
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [CloudTrail.2] CloudTrail should have encryption at-rest enabled			1	no data
💼 AWS Well-Architected → 💼 SEC08-BP02 Enforce encryption at rest			17	no data
💼 CIS AWS v1.2.0 → 💼 2.7 Ensure CloudTrail logs are encrypted at rest using KMS CMKs			1	no data
💼 CIS AWS v1.3.0 → 💼 3.7 Ensure CloudTrail logs are encrypted at rest using KMS CMKs			1	no data
💼 CIS AWS v1.4.0 → 💼 3.7 Ensure CloudTrail logs are encrypted at rest using KMS CMKs			1	no data
💼 CIS AWS v1.5.0 → 💼 3.7 Ensure CloudTrail logs are encrypted at rest using KMS CMKs - Level 2 (Automated)			1	no data
💼 CIS AWS v2.0.0 → 💼 3.7 Ensure CloudTrail logs are encrypted at rest using KMS CMKs - Level 2 (Automated)			1	no data
💼 CIS AWS v3.0.0 → 💼 3.5 Ensure CloudTrail logs are encrypted at rest using KMS CMKs - Level 2 (Automated)			1	no data
💼 CIS AWS v4.0.0 → 💼 3.5 Ensure CloudTrail logs are encrypted at rest using KMS CMKs (Automated)			1	no data
💼 CIS AWS v4.0.1 → 💼 3.5 Ensure CloudTrail logs are encrypted at rest using KMS CMKs (Automated)			1	no data
💼 CIS AWS v5.0.0 → 💼 3.5 Ensure CloudTrail logs are encrypted at rest using KMS CMKs (Automated)			1	no data
💼 CIS AWS v6.0.0 → 💼 4.5 Ensure CloudTrail logs are encrypted at rest using KMS CMKs (Automated)			1	no data
💼 Cloudaware Framework → 💼 Data Encryption			57	no data
💼 FedRAMP High Security Controls → 💼 AU-9 Protection of Audit Information (L)(M)(H)	3	8	12	no data
💼 FedRAMP High Security Controls → 💼 CM-3(6) Cryptography Management (H)			13	no data
💼 FedRAMP High Security Controls → 💼 SC-7(10) Prevent Exfiltration (H)			13	no data
💼 FedRAMP High Security Controls → 💼 SC-13 Cryptographic Protection (L)(M)(H)		16	34	no data
💼 FedRAMP High Security Controls → 💼 SC-28 Protection of Information at Rest (L)(M)(H)	1	7	32	no data
💼 FedRAMP High Security Controls → 💼 SC-28(1) Cryptographic Protection (L)(M)(H)		5	21	no data
💼 FedRAMP Low Security Controls → 💼 AU-9 Protection of Audit Information (L)(M)(H)			11	no data
💼 FedRAMP Low Security Controls → 💼 SC-13 Cryptographic Protection (L)(M)(H)			34	no data
💼 FedRAMP Low Security Controls → 💼 SC-28 Protection of Information at Rest (L)(M)(H)	1		32	no data
💼 FedRAMP Low Security Controls → 💼 SC-28(1) Cryptographic Protection (L)(M)(H)			21	no data
💼 FedRAMP Moderate Security Controls → 💼 AU-9 Protection of Audit Information (L)(M)(H)	1		11	no data
💼 FedRAMP Moderate Security Controls → 💼 SC-13 Cryptographic Protection (L)(M)(H)			34	no data
💼 FedRAMP Moderate Security Controls → 💼 SC-28 Protection of Information at Rest (L)(M)(H)	1		32	no data
💼 FedRAMP Moderate Security Controls → 💼 SC-28(1) Cryptographic Protection (L)(M)(H)			21	no data
💼 NIST CSF v2.0 → 💼 PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected			164	no data
💼 NIST CSF v2.0 → 💼 PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected			140	no data
💼 NIST CSF v2.0 → 💼 PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected			156	no data
💼 NIST SP 800-53 Revision 5 → 💼 AU-9 Protection of Audit Information	7	2	6	no data
💼 NIST SP 800-53 Revision 5 → 💼 CA-9(1) Internal System Connections _ Compliance Checks			32	no data
💼 NIST SP 800-53 Revision 5 → 💼 CM-3(6) Configuration Change Control _ Cryptography Management			13	no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-7(10) Boundary Protection _ Prevent Exfiltration			13	no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-13 Cryptographic Protection	4		23	no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-28 Protection of Information at Rest	3	17	33	no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-28(1) Protection of Information at Rest _ Cryptographic Protection		10	21	no data
💼 NIST SP 800-53 Revision 5 → 💼 SI-7(6) Software, Firmware, and Information Integrity _ Cryptographic Protection			20	no data
💼 PCI DSS v3.2.1 → 💼 10.5.2 Protect audit trail files from unauthorized modifications.		1	4	no data
💼 PCI DSS v4.0.1 → 💼 10.3.2 Audit log files are protected to prevent modifications by individuals.			4	no data
💼 PCI DSS v4.0 → 💼 10.3.2 Audit log files are protected to prevent modifications by individuals.		2	4	no data

Logic​

Similar Policies​

Similar Internal Rules​

Description​

Description​

Rationale​

Impact​

Audit​

Remediation​

Remediation​

From Console​

From Command Line​

policy.yaml​

Linked Framework Sections​

Logic

Similar Policies

Similar Internal Rules

Description

Description

Rationale

Impact

Audit

Remediation

Remediation

From Console

From Command Line

policy.yaml

Linked Framework Sections