CloudWiki
Rules
High

Ensure S3 buckets for CloudTrail logs are encrypted at rest

Security & Compliance
Description

To enhance the security of your CloudTrail bucket and have better control over who can read the CloudTrail log files within your organization, it is important to ensure that your Amazon CloudTrail logs are encrypted at rest. You can achieve this by enabling Server-Side Encryption using the Key Management Service (KMS). Enabling Amazon CloudTrail log file encryption using SSE-KMS provides a strong security layer that is directly manageable by you using your own Customer Master Keys (CMKs). This is a preferable option over using S3-Managed Encryption Keys (SSE-S3) which is managed by Amazon S3 by default. With SSE-KMS, you can have better control over the encryption keys used to protect your CloudTrail logs, which ensures that only authorized users can access the logs.

Remediation

To ensure that S3 buckets for CloudTrail logs are encrypted at rest, you can follow these remediation steps:

  1. Review the current S3 bucket encryption settings:You should review the current S3 bucket encryption settings to check whether the CloudTrail logs are encrypted at rest or not. If not, you should enable encryption for the S3 bucket.
  2. Enable Server-Side Encryption using SSE-KMS:You can enable Server-Side Encryption using the Key Management Service (KMS) to encrypt your CloudTrail logs at rest. With SSE-KMS, you can create and manage your own encryption keys, which gives you more control over the encryption process.
  3. Configure S3 bucket policies:You can configure S3 bucket policies to enforce encryption for CloudTrail logs. For example, you can create a bucket policy that denies access to any unencrypted CloudTrail log objects.
  4. Use AWS Config Rules:You can use AWS Config rules to monitor the encryption status of your CloudTrail logs. AWS Config can help you identify any non-compliant S3 buckets and take remedial action.
  5. Monitor S3 bucket access:You should monitor S3 bucket access to detect any unauthorized access attempts. You can use S3 bucket access logs and CloudTrail logs to identify any potential security issues.
Enforced Resources
Note: Remediation steps provided by Lightlytics are meant to be suggestions and guidelines only. It is crucial to thoroughly verify and test any remediation steps before applying them to production environments. Each organization's infrastructure and security needs may differ, and blindly applying suggested remediation steps without proper testing could potentially cause unforeseen issues or vulnerabilities. Therefore, it is strongly recommended that you validate and customize any remediation steps to meet your organization's specific requirements and ensure that they align with your security policies and best practices.