CloudTrail Log Files Not Encrypted With KMS

  • Query id: 5d9e3164-9265-470c-9a10-57ae454ac0c7
  • Query name: CloudTrail Log Files Not Encrypted With KMS
  • Platform: Terraform
  • Severity: Low
  • Category: Encryption
  • CWE: 326
  • URL: Github

Description

Logs delivered by CloudTrail should be encrypted using KMS to increase security of your CloudTrail
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - tf file
resource "aws_cloudtrail" "positive1" {
  name                          = "npositive_1"
  s3_bucket_name                = "bucketlog_1"
}

Code samples without security vulnerabilities

Negative test num. 1 - tf file
resource "aws_cloudtrail" "negative1" {
  name                          = "negative1"
  s3_bucket_name                = "bucketlog1"
  kms_key_id                    = "arn:aws:kms:us-east-2:123456789012:key/12345678-1234-1234-1234-123456789012"
}