Control: AWS > PCI v3.2.1 > CloudTrail > 1 CloudTrail logs should be encrypted at rest using AWS KMS CMKs

This control checks whether AWS CloudTrail is configured to use the server-side encryption (SSE) AWS KMS customer master key (CMK) encryption.

If you are only using the default encryption option, you can choose to disable this check.

Remediation

To enable encryption for CloudTrail logs

Open the CloudTrail console at CloudTrail.
Choose Trails.
Choose the trail to update.
Under General details, choose Edit.
For Log file SSE-KMS encryption, select Enabled.
Under AWS KMS customer managed CMK, do one of the following:
- To create a key, choose New. Then in AWS KMS alias, enter an alias for the key. The key is created in the same Region as the S3 bucket.
- To use an existing key, choose Existing and then from AWS KMS alias, select the key.
- The AWS KMS key and S3 bucket must be in the same Region.
Choose Save changes.

PCI requirement(s): 3.4

Resource Types

This control targets the following resource types:

Control Type URI

tmod:@turbot/aws-pciv3-2-1#/control/types/cloudTrailTrailLogsEncryptedWithKmsCmk

Category URI

tmod:@turbot/turbot#/control/categories/compliancePci

GraphQL

query controlType(id: "tmod:@turbot/aws-pciv3-2-1#/control/types/cloudTrailTrailLogsEncryptedWithKmsCmk") { … }

query controls(filter: "controlTypeId:'tmod:@turbot/aws-pciv3-2-1#/control/types/cloudTrailTrailLogsEncryptedWithKmsCmk'") { … }

CLI

Get Controls

turbot graphql controls --filter "controlTypeId:tmod:@turbot/aws-pciv3-2-1#/control/types/cloudTrailTrailLogsEncryptedWithKmsCmk"