CloudTrail Encryption

Quick Info

Plugin TitleCloudTrail Encryption
DescriptionEnsures CloudTrail encryption at rest is enabled for logs
More InfoCloudTrail log files contain sensitive information about an account and should be encrypted at rest for additional protection.
AWS Link
Recommended ActionEnable CloudTrail log encryption through the CloudTrail console or API

Detailed Remediation Steps

  1. Log into the AWS Management Console.
  2. Select the “Services” option and search for “CloudTrail”.
  3. In the “Dashboard” panel click on “View trails” button.
  4. Select the “trail” that needs to be verified under “Name” column.
  5. Scroll down and under the “Storage location” option check for “Encrypt log files with SSE-KMS”. If its status is “No” the selected trail does not support log encryption.
  6. Click on the pencil icon to get into “Storage location” configuration settings. Scroll down and click on “Yes” next to “Encrypt log files with SSE-KMS” to enable the “CloudTrail” log encryption.
  7. Click on the “Yes” option next to “Create a new KMS key” and enter a name. Make sure KMS key and S3 bucket must be in the same region.
  8. Click on “No” option next to “Create a new KMS key” if already have “KMS key” available.
  9. Scroll down and click on “Save” to enable the CloudTrail log encryption.