Using SSE-S3 with CloudTrail?

[evankanderson]

Question

AVD-AWS-0015 suggests that "Cloudtrail should be encrypted at rest to secure access to sensitive trail data", and cites the AWS CloudTrail documentation for SSE-KMS.

According to that page:

By default, the log files delivered by CloudTrail to your bucket are encrypted by Amazon server-side encryption with Amazon S3-managed encryption keys (SSE-S3). To provide a security layer that is directly manageable, you can instead use server-side encryption with AWS KMS keys (SSE-KMS) for your CloudTrail log files.

To my ears, it sounds like I can use either SSE-S3 or SSE-KMS to achieve encryption-at-rest of CloudTrail data. However, if I omit the kms_key_id parameter from my terraform, I get a critical warning from the Trivy action:

Cloudtrail logs should be encrypted at rest to secure the sensitive data. Cloudtrail logs record all activity that occurs in the the account through API calls and would be one of the first places to look when reacting to a breach.
See https://avd.aquasec.com/misconfig/avd-aws-0015
────────────────────────────────────────
 iam/audit-log.tf:27-[36]
────────────────────────────────────────
  27 ┌ resource "aws_cloudtrail" "audit-log" {
  28 │   name                          = local.audit_log_name
  29 │   s3_bucket_name                = aws_s3_bucket.audit-logs.bucket
  30 │   include_global_service_events = true
  31 │   enable_log_file_validation    = true
  32 │   # We use the default S3 encryption-at-rest key
  33 │ 
  34 │   # Need bucket policy set before this can work
  35 │   depends_on = [resource.aws_s3_bucket_policy.cloudtrail-write]
  36 └ }

Now, I can definitely set up and manage an SSE-KMS key, but I'm wondering whether the AVD-AWS-0015 recommendation dates from before the rollout of SSE-S3 encryption for CloudTrail.

Target

AWS

Scanner

Misconfiguration

Output Format

Table

Mode

Standalone

Operating System

GitHub Actions

Version

[email protected]

[simar7]

You're right, the check predates the new AWS update and we should update the check accordingly. I'll create an issue from this discussion to track it.

[simar7]

Issue here #6326