Ensure that your CloudTrail logs are encrypted at rest using server-side encryption provided by AWS KMS–Managed Keys (SSE-KMS) to enhance the security of your CloudTrail bucket and allow you to have better control over who can read the log files in your organization.
Enabling CloudTrail log files encryption using SSE-KMS will facilitate a strong security layer that is directly manageable by you using your KMS Customer Master Keys (CMK) rather than allowing S3 to manage it by default using S3-managed encryption keys (SSE-S3). Note: The CMK used must be in the same region as the S3 bucket that receives your CloudTrail log files.
To determine if your CloudTrail trails have the SSE-KMS encryption feature enabled, perform the following:
To enable SSE-KMS encryption for your CloudTrail log files, perform the following: