CloudTrail logs encrypted with KMS CMK
Description
CloudTrail logs encrypted at rest using customer-managed KMS keys (CMK).
⚠️ Risk Impact
Default SSE-S3 encryption doesn't allow access control via KMS. CMK encryption enables key-policy-based access control + key-deletion-based forensic retention.
🔍 How EchelonGraph Detects This
EchelonGraph's Tier 1 Cloud Scanner automatically checks for this condition across all connected AWS accounts. Violations are flagged as high-severity findings with remediation guidance.
🔧 Remediation
aws cloudtrail update-trail --kms-key-id <kms-arn>. Configure key policy to restrict decryption.
💀 Real-World Attack Scenario
An attacker with read access to CloudTrail bucket could read all log content (SSE-S3 transparent). With CMK encryption + key-policy restricting decryption to specific roles, the same access would yield ciphertext only.
💰 Cost of Non-Compliance
Log-content exposure during breach: increases incident scope.
📋 Audit Questions
- 1.CMK encryption on CloudTrail?
- 2.Key policy restricts decryption?
- 3.Key rotation enabled?
🎯 MITRE ATT&CK Mapping
⚡ Common Pitfalls
- ⛔Default SSE-S3 left in place
- ⛔Key policy too permissive
- ⛔No rotation
📈 Business Value
CMK encryption on logs provides defense-in-depth against insider-threat reading of logs.
⏱️ Effort Estimate
30 minutes
EchelonGraph audits CloudTrail encryption + key policy
🔗 Cross-Framework References
Automate CIS AWS 3.4 compliance
EchelonGraph continuously monitors this control across all your cloud accounts.
Start Free →