HIGH
Source
Trivy/CSPM
CSPM ID
cloudtrail-encryption
ID
AVD-AWS-0015

Cloudtrail should be encrypted at rest to secure access to sensitive trail data

Cloudtrail logs should be encrypted at rest to secure the sensitive data. Cloudtrail logs record all activity that occurs in the the account through API calls and would be one of the first places to look when reacting to a breach.

Impact

Data can be freely read if compromised

Follow the appropriate remediation steps below to resolve the issue.

Enable encryption at rest

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
---
AWSTemplateFormatVersion: "2010-09-09"
Description: A sample template
Resources:
  BadExample:
    Type: AWS::CloudTrail::Trail
    Properties:
      IsLogging: true
      IsMultiRegionTrail: true
      KmsKeyId: "alias/CloudtrailKey"
      S3BucketName: "CloudtrailBucket"
      S3KeyPrefix: "/trailing"
      TrailName: "Cloudtrail"
  1. Log into the AWS Management Console.
  2. Select the “Services” option and search for “CloudTrail”.Step
  3. In the “Dashboard” panel click on “View trails” button.Step
  4. Select the “trail” that needs to be verified under “Name” column.Step
  5. Scroll down and under the “Storage location” option check for “Encrypt log files with SSE-KMS”. If its status is “No” the selected trail does not support log encryption.Step
  6. Click on the pencil icon to get into “Storage location” configuration settings. Scroll down and click on “Yes” next to “Encrypt log files with SSE-KMS” to enable the “CloudTrail” log encryption. Step
  7. Click on the “Yes” option next to “Create a new KMS key” and enter a name. Make sure KMS key and S3 bucket must be in the same region.Step
  8. Click on “No” option next to “Create a new KMS key” if already have “KMS key” available.Step
  9. Scroll down and click on “Save” to enable the CloudTrail log encryption.Step

Enable encryption at rest

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
resource "aws_cloudtrail" "good_example" {
  is_multi_region_trail = true
  enable_log_file_validation = true
  kms_key_id = var.kms_id
  
  event_selector {
    read_write_type           = "All"
    include_management_events = true
    
    data_resource {
      type = "AWS::S3::Object"
      values = ["${data.aws_s3_bucket.important-bucket.arn}/"]
    }
  }
}