CloudTrail log files should be encrypted using KMS CMKs


By default, the log files delivered by CloudTrail to your bucket are encrypted with Amazon S3-managed encryption keys (SSE-S3). To get control over key rotation and obtain auditing visibility into key usage, use SSE-KMS to encrypt your log files.

Console Remediation Steps

  • Navigate to CloudTrail.

  • In the left navigation, select Trails.

  • Click on a Trail.

  • Click the pencil icon to edit the Storage location section.

  • In Encrypt log files with SSE-KMS, select Yes.

  • In Create a new KMS key, select Yes or use an existing key.

  • Enter a name for the KMS key, if applicable.

  • Click Save.

CLI Remediation Steps

  • Create a new KMS key to use for Cloudtrail encryption. If you already have a key you wish to use, skip this step.

    • aws kms create-key

  • Update the KMS key policy to provide the necessary permissions.

    • aws kms put-key-policy --key-id "<key-arn>" --policy-name default --policy '{"Version": "2012-10-17","Id": "key-default-1","Statement":[{"Sid": "Enable IAM User Permissions","Effect":"Allow","Principal": {"AWS":"arn:aws:iam::<aws-account-number>:root"},"Action":"kms:*","Resource":"*"},{"Sid":"Allow CloudTrail to encrypt logs","Effect":"Allow","Principal":{"Service":""},"Action":"kms:GenerateDataKey*","Resource":"*","Condition":{"StringLike":{"kms:EncryptionContext:aws:cloudtrail:arn":["arn:aws:cloudtrail:*:<aws-account-number>:trail/*"]}}},{"Sid":"Enable CloudTrail log decrypt permissions","Effect":"Allow","Principal":{"AWS":"arn:aws:iam::<aws-account-number>:<role-or-user>/<role-name-or-user-name>"},"Action":"kms:Decrypt","Resource":"*","Condition":{"Null":{"kms:EncryptionContext:aws:cloudtrail:arn":"false"}}},{"Sid":"Allow CloudTrail access","Effect":"Allow","Principal":{"Service":""},"Action":"kms:DescribeKey","Resource":"*"}]}'

  • Update the trail configuration with the KMS key ID.

    • aws cloudtrail update-trail --name france --kms-key-id "<key-arn>" --s3-bucket-name <bucket-name>