Table for CloudTrail Trails Not Encrypted with Customer KMS

This table provides an overview of important information regarding CloudTrail trails that are not encrypted with a customer-managed KMS key. It is intended for IT and Security Engineers responsible for ensuring compliance and security in cloud environments.

Aspect

Details

Issue

CloudTrail trails are not encrypted using a Customer Managed Key (CMK) from AWS KMS.

Impact

Potential exposure of sensitive audit logs to unauthorized access or tampering.

Recommended Action

Enable encryption for CloudTrail logs using a CMK to enhance security and access control.

Steps to Remediate

1. Identify CloudTrail trails without CMK encryption.

2. Update the trail configuration to use a CMK for encryption.

3. Ensure IAM policies allow CloudTrail to access the CMK.

Verification

Use the AWS Management Console, CLI, or SDK to verify CMK encryption status of trails.

Tools

AWS Management Console, AWS CLI, AWS Config, Security Hub, or third-party compliance tools.

Compliance Standards

Ensures adherence to compliance frameworks such as PCI DSS, HIPAA, and SOC 2.

AWS Best Practices

Encrypt CloudTrail logs with a CMK to meet AWS security best practices.

Audit Commands

aws cloudtrail describe-trails --query 'trailList[*].KmsKeyId'

Log Verification

Check S3 bucket policies and KMS key usage in AWS CloudTrail event history.

Alerting

Configure AWS Config Rules or Security Hub findings to monitor non-compliant trails.

PreviousSingle Availability Zone Database Instances NextTable for Incomplete Data Logging Configuration in CloudTrail Trails

Last updated 2 months ago

Was this helpful?