Description
By enabling SSE-KMS for Amazon CloudTrail log file encryption, you can increase the level of security and manageability of your encryption keys. Instead of relying on S3-Managed Encryption Keys (SSE-S3) managed by Amazon S3 by default, you can use your own Customer Master Keys (CMKs) to directly manage your encryption keys. To ensure that your Amazon CloudTrail logs are encrypted at rest, it is recommended to use Server-Side Encryption provided by Key Management Service (KMS). This will help enhance the security of your CloudTrail bucket and provide you with better control over who can access and read the CloudTrail log files within your organization.
Remediation
Enforced Resources
Note: Remediation steps provided by Lightlytics are meant to be suggestions and guidelines only. It is crucial to thoroughly verify and test any remediation steps before applying them to production environments. Each organization's infrastructure and security needs may differ, and blindly applying suggested remediation steps without proper testing could potentially cause unforeseen issues or vulnerabilities. Therefore, it is strongly recommended that you validate and customize any remediation steps to meet your organization's specific requirements and ensure that they align with your security policies and best practices.
