HIGH
Source
Trivy/CSPM
CSPM ID
cloudtrail-encryption
ID
AVD-AWS-0015

Cloudtrail should be encrypted at rest to secure access to sensitive trail data

Using Customer managed keys provides comprehensive control over cryptographic keys, enabling management of policies, permissions, and rotation, thus enhancing security and compliance measures for sensitive data and systems.

Impact

Using AWS managed keys does not allow for fine grained control

Follow the appropriate remediation steps below to resolve the issue.

Use Customer managed key

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
Resources:
  BadExample:
    Type: AWS::CloudTrail::Trail
    Properties:
      IsLogging: true
      IsMultiRegionTrail: true
      KmsKeyId: "alias/CloudtrailKey"
      S3BucketName: "CloudtrailBucket"
      S3KeyPrefix: "/trailing"
      TrailName: "Cloudtrail"

  1. Log in to the AWS Management Console.

  2. Select the “Services” option and search for “CloudTrail”.Step

  3. In the “Dashboard” panel click on the desired trail from the list under “Trails” to get to its configuration page.Step

  4. Click on “Edit” button under “General details”.Step

  5. On the Edit Trail page scroll down and check for “Log file SSE-KMS encryption”. If its status is not selected as “Enabled” then the selected trail does not support log encryption.Step

  6. Select the checkbox to change the status as “Enabled” under “Log file SSE-KMS encryption” to enable the “CloudTrail” log encryption. Step

  7. If you do not have an existing KMS key then under “Customer managed AWS KMS key” option select “New” and enter a name for “AWS KMS alias”. Make sure KMS key and S3 bucket must be in the same region.Step

  8. If you already have a “KMS key” available then under “Customer managed AWS KMS key” option select “Existing” and click to choose an existing key under “AWS KMS alias”. .Step

  9. Scroll down and click on “Save changes” to enable the CloudTrail log encryption.Step

Use Customer managed key

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
 resource "aws_cloudtrail" "good_example" {
   is_multi_region_trail = true
   enable_log_file_validation = true
   kms_key_id = var.kms_id
 
   event_selector {
     read_write_type           = "All"
     include_management_events = true
 
     data_resource {
       type = "AWS::S3::Object"
       values = ["${data.aws_s3_bucket.important-bucket.arn}/"]
     }
   }
 }