HIGH
Source
Trivy/CSPM
CSPM ID
cloudtrail-encryption
ID
AVD-AWS-0015

CloudTrail should use Customer managed keys to encrypt the logs

Using AWS managed keys does not allow for fine grained control. Using Customer managed keys provides comprehensive control over cryptographic keys, enabling management of policies, permissions, and rotation, thus enhancing security and compliance measures for sensitive data and systems.

Impact

Follow the appropriate remediation steps below to resolve the issue.

Use Customer managed key

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
Resources:
  GoodExample:
    Type: AWS::CloudTrail::Trail
    Properties:
      IsLogging: true
      IsMultiRegionTrail: true
      KmsKeyId: alias/CloudtrailKey
      S3BucketName: CloudtrailBucket
      S3KeyPrefix: /trailing
      TrailName: Cloudtrail
  1. Log in to the AWS Management Console.

  2. Select the “Services” option and search for “CloudTrail”.Step

  3. In the “Dashboard” panel click on the desired trail from the list under “Trails” to get to its configuration page.Step

  4. Click on “Edit” button under “General details”.Step

  5. On the Edit Trail page scroll down and check for “Log file SSE-KMS encryption”. If its status is not selected as “Enabled” then the selected trail does not support log encryption.Step

  6. Select the checkbox to change the status as “Enabled” under “Log file SSE-KMS encryption” to enable the “CloudTrail” log encryption. Step

  7. If you do not have an existing KMS key then under “Customer managed AWS KMS key” option select “New” and enter a name for “AWS KMS alias”. Make sure KMS key and S3 bucket must be in the same region.Step

  8. If you already have a “KMS key” available then under “Customer managed AWS KMS key” option select “Existing” and click to choose an existing key under “AWS KMS alias”. .Step

  9. Scroll down and click on “Save changes” to enable the CloudTrail log encryption.Step

Use Customer managed key

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
resource "aws_kms_key" "trail" {
  enable_key_rotation = true
}
resource "aws_kms_alias" "trail" {
  name          = "alias/trail"
  target_key_id = aws_kms_key.trail.key_id
}

resource "aws_cloudtrail" "good_example" {
  is_multi_region_trail      = true
  enable_log_file_validation = true
  kms_key_id                 = aws_kms_alias.trail.arn

  event_selector {
    read_write_type           = "All"
    include_management_events = true

    data_resource {
      type   = "AWS::S3::Object"
      values = ["${data.aws_s3_bucket.important-bucket.arn}/"]
    }
  }
}