Skip to main content

Cloudtrail logs are not encrypted using AWS KMS-managed keys

  • GG_ID: GG_IAC_0027
  • Severity: HIGH
  • Complexity: LOW
  • Categories: DATA, PERMISSION
  • Providers: AWS
  • Potential data exposure: True
  • Visible in logs: False
  • User interaction required: False
  • Privileges required: True

Description#

Cloudtrail logs record every action taken by a user, role or AWS service in the account as events. By default, CloudTrail event log files are encrypted using Amazon S3 server-side encryption (SSE). Log files should also be encrypted with an AWS Key Management Service (AWS KMS) key. This ensures only authorized users have access to the logs.

Impact#

An attacker could have access to Cloudtrail logs and read them freely if they get compromised.

Remediation guidelines#

Encrypt the Cloudtrail logs using an AWS KMS key.

External documentation#