Cloudtrail logs are not encrypted using AWS KMS-managed keys

• GG_ID: GG_IAC_0027
• Severity: HIGH
• Complexity: LOW
• Categories: DATA, PERMISSION
• Providers: AWS
• Potential data exposure: True
• Visible in logs: False
• User interaction required: False
• Privileges required: True

Description

Cloudtrail logs record every action taken by a user, role or AWS service in the account as events. By default, CloudTrail event log files are encrypted using Amazon S3 server-side encryption (SSE). Log files should also be encrypted with an AWS Key Management Service (AWS KMS) key. This ensures only authorized users have access to the logs.

Impact

An attacker could have access to Cloudtrail logs and read them freely if they get compromised.

Remediation guidelines

Encrypt the Cloudtrail logs using an AWS KMS key.

External documentation

• Encrypting Cloudtrail log files with AWS KMS-managed keys