Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(misconf): Update Cloudtrail adapter for getting default encryption policy #6326

Closed
simar7 opened this issue Mar 14, 2024 Discussed in #6320 · 2 comments · Fixed by aquasecurity/trivy-checks#103
Closed

fix(misconf): Update Cloudtrail adapter for getting default encryption policy #6326

simar7 opened this issue Mar 14, 2024 Discussed in #6320 · 2 comments · Fixed by aquasecurity/trivy-checks#103
Labels
kind/feature Categorizes issue or PR as related to a new feature. scan/misconfiguration Issues relating to misconfiguration scanning
Milestone
v0.51.0

Comments

@simar7
Copy link
Member

simar7 commented Mar 14, 2024

Discussed in #6320

Originally posted by evankanderson March 13, 2024

Question

AVD-AWS-0015 suggests that "Cloudtrail should be encrypted at rest to secure access to sensitive trail data", and cites the AWS CloudTrail documentation for SSE-KMS.

According to that page:

By default, the log files delivered by CloudTrail to your bucket are encrypted by Amazon server-side encryption with Amazon S3-managed encryption keys (SSE-S3). To provide a security layer that is directly manageable, you can instead use server-side encryption with AWS KMS keys (SSE-KMS) for your CloudTrail log files.

To my ears, it sounds like I can use either SSE-S3 or SSE-KMS to achieve encryption-at-rest of CloudTrail data. However, if I omit the kms_key_id parameter from my terraform, I get a critical warning from the Trivy action:

Cloudtrail logs should be encrypted at rest to secure the sensitive data. Cloudtrail logs record all activity that occurs in the the account through API calls and would be one of the first places to look when reacting to a breach.
See https://avd.aquasec.com/misconfig/avd-aws-0015
────────────────────────────────────────
 iam/audit-log.tf:27-[36]
────────────────────────────────────────
  27 ┌ resource "aws_cloudtrail" "audit-log" {
  28 │   name                          = local.audit_log_name
  29 │   s3_bucket_name                = aws_s3_bucket.audit-logs.bucket
  30 │   include_global_service_events = true
  31 │   enable_log_file_validation    = true
  32 │   # We use the default S3 encryption-at-rest key
  33 │ 
  34 │   # Need bucket policy set before this can work
  35 │   depends_on = [resource.aws_s3_bucket_policy.cloudtrail-write]
  36 └ }

Now, I can definitely set up and manage an SSE-KMS key, but I'm wondering whether the AVD-AWS-0015 recommendation dates from before the rollout of SSE-S3 encryption for CloudTrail.

Target

AWS

Scanner

Misconfiguration

Output Format

Table

Mode

Standalone

Operating System

GitHub Actions

Version

[email protected]
@simar7 simar7 added kind/feature Categorizes issue or PR as related to a new feature. scan/misconfiguration Issues relating to misconfiguration scanning labels Mar 14, 2024
@simar7 simar7 added this to the v0.51.0 milestone Mar 14, 2024
@nikpivkin
Copy link
Contributor

@simar7 CloudTrail is encrypted by default using SSE-S3 keys. We can change the wording of the check and warn if the user does not use KMS keys, as is done for example in AVD-AWS-0027. Wdyt?

@simar7
Copy link
Member Author

simar7 commented Mar 26, 2024

@simar7 CloudTrail is encrypted by default using SSE-S3 keys. We can change the wording of the check and warn if the user does not use KMS keys, as is done for example in AVD-AWS-0027. Wdyt?

Yes sounds good.

@nikpivkin nikpivkin mentioned this issue Mar 26, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/feature Categorizes issue or PR as related to a new feature. scan/misconfiguration Issues relating to misconfiguration scanning
Projects
Trivy Roadmap
Archived in project
Milestone
v0.51.0
Development

Successfully merging a pull request may close this issue.

checks(aws): change the wording of AVD-AWS-0015 nikpivkin/trivy-checks
2 participants
@simar7 @nikpivkin