Skip to main content

πŸ’Ό [CloudTrail.2] CloudTrail should have encryption at-rest enabled

  • Contextual name: πŸ’Ό [CloudTrail.2] CloudTrail should have encryption at-rest enabled
  • ID: /frameworks/aws-fsbp-v1.0.0/cloudtrail/02
  • Located in: πŸ’Ό CloudTrail

Description​

For an added layer of security for your sensitive CloudTrail log files, you should use server-side encryption with AWS KMS keys (SSE-KMS) for your CloudTrail log files for encryption at rest. Note that by default, the log files delivered by CloudTrail to your buckets are encrypted by Amazon server-side encryption with Amazon S3-managed encryption keys (SSE-S3).

Similar​

Similar Sections (Give Policies To)​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AU-9 Protection of Audit Information724
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό CA-9(1) Internal System Connections _ Compliance Checks15
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό CM-3(6) Configuration Change Control _ Cryptography Management4
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-7(10) Boundary Protection _ Prevent Exfiltration4
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-13 Cryptographic Protection46
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-28 Protection of Information at Rest31518
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-28(1) Protection of Information at Rest _ Cryptographic Protection1012
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SI-7(6) Software, Firmware, and Information Integrity _ Cryptographic Protection6
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 10.5.2 Protect audit trail files from unauthorized modifications.24
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 10.3.2 Audit log files are protected to prevent modifications by individuals.4
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 10.3.2 Audit log files are protected to prevent modifications by individuals.4

Sub Sections​

SectionSub SectionsInternal RulesPoliciesFlags

Policies (1)​

PolicyLogic CountFlags
πŸ“ AWS CloudTrail is not encrypted with KMS CMK 🟒1🟒 x6