CloudTrail Log Files Not Encrypted With KMS

  • Query id: f5587077-3f57-4370-9b4e-4eb5b1bac85b
  • Query name: CloudTrail Log Files Not Encrypted With KMS
  • Platform: Ansible
  • Severity: Low
  • Category: Encryption
  • CWE: 311
  • URL: Github

Description

Logs delivered by CloudTrail should be encrypted using KMS to increase security of your CloudTrail
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
- name: no sns topic name
  community.aws.cloudtrail:
    state: present
    name: default
    s3_bucket_name: mylogbucket
    s3_key_prefix: cloudtrail
    region: us-east-1

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
- name: create multi-region trail with validation and tags v2
  community.aws.cloudtrail:
    state: present
    name: default
    s3_bucket_name: mylogbucket
    region: us-east-1
    is_multi_region_trail: true
    enable_log_file_validation: true
    cloudwatch_logs_role_arn: arn:aws:iam::123456789012:role/CloudTrail_CloudWatchLogs_Role
    cloudwatch_logs_log_group_arn: arn:aws:logs:us-east-1:123456789012:log-group:CloudTrail/DefaultLogGroup:*
    kms_key_id: alias/MyAliasName
    tags:
      environment: dev
      Name: default