The log files in CloudTrail are not encrypted with KMS

ID

aws_cloudtrail_log_encrypted

Severity

low

Vendor

AWS

Resource

Encryption

Tags

reachable

Description

The log files in CloudTrail are not encrypted by KMS. Ensure that your CloudTrail has the log files encrypted with KMS to avoid that an unauthorized user can see the log in plain text.

To fix it, you must configure kms_key_id property.

Learn more about this topic at AWS CloudTrail log files.

Examples

---
- name: Example playbook
  hosts: localhost
  tasks:
    - name: create
      amazon.aws.cloudtrail:
        state: present
        name: default
        s3_bucket_name: mylogbucket
        region: us-east-1
        is_multi_region_trail: true
        enable_log_file_validation: true
        cloudwatch_logs_role_arn: "arn:aws:iam::123456789012:role/CloudTrail_CloudWatchLogs_Role"
        cloudwatch_logs_log_group_arn: "arn:aws:logs:us-east-1:123456789012:log-group:CloudTrail/DefaultLogGroup:*"
        tags:
          environment: dev
          Name: default

Mitigation / Fix

---
- name: Example playbook
  hosts: localhost
  tasks:
    - name: create
      amazon.aws.cloudtrail:
        state: present
        name: default
        s3_bucket_name: mylogbucket
        region: us-east-1
        is_multi_region_trail: true
        enable_log_file_validation: true
        cloudwatch_logs_role_arn: "arn:aws:iam::123456789012:role/CloudTrail_CloudWatchLogs_Role"
        cloudwatch_logs_log_group_arn: "arn:aws:logs:us-east-1:123456789012:log-group:CloudTrail/DefaultLogGroup:*"
        kms_key_id: "alias/MyAliasName"
        tags:
          environment: dev
          Name: default