AWS Cloudtrail
      Back to home
      1. CNS Policies
      2. AWS Knowledge Base
      3. AWS Cloudtrail

      CloudTrail Encryption Disabled

      This plugin ensures that CloudTrail logs are encrypted at rest

      Risk Level: MEDIUM

      Description:

      This plugin ensures that CloudTrail logs are encrypted at rest. CloudTrail log files include sensitive account information and should be encrypted in transit for added security.


      Recommended Action: Enable CloudTrail log encryption through the CloudTrail console or API.

      About the Service :

      AWS CloudTrail is an AWS service that allows you to manage your AWS account's governance, compliance, operational, and risk auditing. In CloudTrail, actions done by a user, role, or AWS service are recorded as events. Actions made in the AWS Management Console, AWS Command Line Interface, and AWS SDKs and APIs are all considered events.

      Impact: 

      .Enabling SSE-KMS encryption for CloudTrail log files will provide a strong security layer that you can control directly using your KMS Customer Master Keys (CMK), rather than leaving S3 to manage it by default using S3-managed encryption keys (SSE-S3).

      Steps to reproduce :

      1. Sign in to your AWS management console.
      2. Navigate to the CloudTrail dashboard at: https://console.aws.amazon.com/cloudtrail/
      3. On the left panel, select Trails.
      4. Look for  the trail you want to examine.
      5. Copy the name of the S3 bucket associated with it.
      6. Visit the S3 dashboard and search for the copied S3 bucket name.
      7. Click on it and visit the Properties dashboard.
      8. Scroll down to the Default Encryption panel and check for its status.
      9. If the feature status is disabled, the selected trail does not support SSE-KMS encryption for its log files.

      Steps for remediation :

      1. Sign in to your AWS management console.
      2. Navigate to the CloudTrail dashboard at: https://console.aws.amazon.com/cloudtrail/
      3. On the left panel, select Trails.
      4. Look for the trail you want to examine.
      5. Copy the name of the S3 bucket associated with it.
      6. Visit the S3 dashboard and search for the copied S3 bucket name.
      7. Click on it and visit the Properties dashboard.
      8. Scroll down to the Default Encryption panel and click on Edit.
      9. Click on Enable to enable server-side encryption and select an encryption key type for the same.
      10. Click Save to enable SSE-KMS encryption.

      References: