CloudTrail Log Files Not Encrypted With KMS
- Query id: f5587077-3f57-4370-9b4e-4eb5b1bac85b
- Query name: CloudTrail Log Files Not Encrypted With KMS
- Platform: Ansible
- Severity: Low
- Category: Encryption
- CWE: 311
- URL: Github
Description¶
Logs delivered by CloudTrail should be encrypted using KMS to increase security of your CloudTrail
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
- name: no sns topic name
community.aws.cloudtrail:
state: present
name: default
s3_bucket_name: mylogbucket
s3_key_prefix: cloudtrail
region: us-east-1
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
- name: create multi-region trail with validation and tags v2
community.aws.cloudtrail:
state: present
name: default
s3_bucket_name: mylogbucket
region: us-east-1
is_multi_region_trail: true
enable_log_file_validation: true
cloudwatch_logs_role_arn: arn:aws:iam::123456789012:role/CloudTrail_CloudWatchLogs_Role
cloudwatch_logs_log_group_arn: arn:aws:logs:us-east-1:123456789012:log-group:CloudTrail/DefaultLogGroup:*
kms_key_id: alias/MyAliasName
tags:
environment: dev
Name: default