CloudTrail logs are not encrypted with customer managed key Affecting CloudTrail service in AWS

Snyk CCSS

Keys and Secrets / Audit

Is your enviroment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Frameworks

AWS-Well-Architected CIS-AWS CIS-Controls CSA-CCM GDPR ISO-27001 NIST-800-53 PCI-DSS SOC-2

Snyk ID SNYK-CC-00004
credit Snyk Research Team

Report a new misconfiguration Found a mistake?

Description

By default, the log files delivered by CloudTrail to your bucket are encrypted with Amazon S3-managed encryption keys (SSE-S3). To get control over key rotation and obtain auditing visibility into key usage, use SSE-KMS to encrypt log files with customer managed KMS keys.

How to fix?

Set the aws_cloudtrail kms_key_id field to the KMS key ARN to use to encrypt the logs delivered by CloudTrail.

Example Configuration

resource "aws_cloudtrail" "example" {
  kms_key_id = "arn:aws:kms:example-key-id"
  # other required fields here
}

CloudTrail logs are not encrypted with customer managed key Affecting CloudTrail service in AWS

Severity

Description

How to fix?

Example Configuration

CloudFormation

Terraform

References