Skip to main content

Cloudtrail logs are not encrypted using AWS KMS-managed keys

Severity	Exploitability	Providers	Categories
HIGH	HIGH	AWS	DATA, PERMISSION

Description

Cloudtrail logs record every action taken by a user, role or AWS service in the account as events. By default, CloudTrail event log files are encrypted using Amazon S3 server-side encryption (SSE). Log files should also be encrypted with an AWS Key Management Service (AWS KMS) key. This ensures only authorized users have access to the logs.

Impact

Potential data exposure	Visible in logs	User interaction required	Privileges required
True	False	False	True

An attacker could have access to Cloudtrail logs and read them freely if they get compromised.

Remediation guidelines

Encrypt the Cloudtrail logs using an AWS KMS key.

References

Encrypting Cloudtrail log files with AWS KMS-managed keys

Was this page helpful?

Description
Impact
Remediation guidelines
References

Something we didn’t cover?

See our Roadmap

Subscribe on GitHub

Submit a request

API status

How can I help you ?