v1.0 for Steampipe, Powerpipe, Flowpipe, 116 plugins, and 44 mods →
Powerpipe Hub 
Hub
Mods
turbot/aws_compliance
Overview
32Dashboards
1295Controls
585Queries
4Variables
GitHub

Control: 2 CloudTrail should have encryption at rest enabled

Description

This control checks whether AWS CloudTrail is configured to use the server-side encryption (SSE) AWS KMS customer master key (CMK) encryption.

If you are only using the default encryption option, you can choose to disable this check.

Remediation

To enable encryption for CloudTrail logs

  1. Open the CloudTrail console at CloudTrail.
  2. Choose Trails.
  3. Choose the trail to update.
  4. Under General details, choose Edit.
  5. For Log file SSE-KMS encryption, select Enabled.
  6. Under AWS KMS customer managed CMK, do one of the following:
    • To create a key, choose New. Then in AWS KMS alias, enter an alias for the key. The key is created in the same Region as the S3 bucket.
    • To use an existing key, choose Existing and then from AWS KMS alias, select the key.
    • The AWS KMS key and S3 bucket must be in the same Region.
  7. Choose Save changes.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.foundational_security_cloudtrail_2

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.foundational_security_cloudtrail_2 --share

SQL

This control uses a named query:

cloudtrail_trail_logs_encrypted_with_kms_cmk

Tags

aws_foundational_security = true
category = Compliance
foundational_security_category = encryption_of_data_at_rest
foundational_security_item_id = cloudtrail_2
plugin = aws
service = AWS/CloudTrail