CloudTrail Log Files Not Encrypted With KMS

Query id: 5d9e3164-9265-470c-9a10-57ae454ac0c7
Query name: CloudTrail Log Files Not Encrypted With KMS
Platform: Terraform
Severity: Low
Category: Encryption
URL: Github

Description¶

Logs delivered by CloudTrail should be encrypted using KMS to increase security of your CloudTrail
Documentation

Code samples¶

Code samples with security vulnerabilities¶

Postitive test num. 1 - tf file

resource "aws_cloudtrail" "positive1" {
  name                          = "npositive_1"
  s3_bucket_name                = "bucketlog_1"
}

Code samples without security vulnerabilities¶

Negative test num. 1 - tf file

resource "aws_cloudtrail" "negative1" {
  name                          = "negative1"
  s3_bucket_name                = "bucketlog1"
  kms_key_id                    = "arn:aws:kms:us-east-2:123456789012:key/12345678-1234-1234-1234-123456789012"
}