Skip to main content

Cloudtrail logs are not encrypted using AWS KMS-managed keys

  • GG_ID: GG_IAC_0027
  • Severity: HIGH
  • Complexity: LOW
  • Categories: DATA, PERMISSION
  • Providers: AWS
  • Potential data exposure: True
  • Visible in logs: False
  • User interaction required: False
  • Privileges required: True


Cloudtrail logs record every action taken by a user, role or AWS service in the account as events. By default, CloudTrail event log files are encrypted using Amazon S3 server-side encryption (SSE). Log files should also be encrypted with an AWS Key Management Service (AWS KMS) key. This ensures only authorized users have access to the logs.


An attacker could have access to Cloudtrail logs and read them freely if they get compromised.

Remediation guidelines#

Encrypt the Cloudtrail logs using an AWS KMS key.

External documentation#