Ensure that your CloudTrail logs are encrypted at rest using server-side encryption provided by AWS KMS–Managed Keys (SSE-KMS) to enhance the security of your CloudTrail bucket and allow you to have better control over who can read the log files in your organization.
This rule can help you with the following compliance standards:
This rule can help you work with the AWS Well-Architected Framework
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
Enabling CloudTrail log files encryption using SSE-KMS will facilitate a strong security layer that is directly manageable by you using your KMS Customer Master Keys (CMK) rather than allowing S3 to manage it by default using S3-managed encryption keys (SSE-S3).
Note: The CMK used must be in the same region as the S3 bucket that receives your CloudTrail log files.
To determine if your CloudTrail trails have the SSE-KMS encryption feature enabled, perform the following:
To enable SSE-KMS encryption for your CloudTrail log files, perform the following: