AWS CloudTrail logs are not encrypted using Customer Master Keys (CMKs)
Description
Checks to ensure that CloudTrail logs are encrypted. AWS CloudTrail is a service that enables governance, compliance, operational & risk auditing of the AWS account. It is a compliance and security best practice to encrypt the CloudTrail data since it may contain sensitive information.
Code Example
go
resource "aws_cloudtrail" "example" {
...
+ kms_key_id = "arn:aws:kms:us-west-2:123456789012:key/example-key-arn"
}Remediation
Terraform
To fix this issue, ensure that the `kms_key_id` property in the `aws_cloudtrail` resource is set to a valid KMS key ID or ARN.
Example:
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0089 |
| Severity | INFO |
| IaC Type | Cloudformation |
| Frameworks | CloudFormation, Terraform, TerraformPlan, Serverless |
| Checkov ID | CKV_AWS_35 |