Back to All Checks
Medium CloudTrail Regional

CloudTrail should have encryption at-rest enabled

PCI DSSCISNISTISO 27001

Description

This check verifies whether CloudTrail trails are configured to use server-side encryption (SSE) and AWS KMS key encryption. The check fails if the KmsKeyId isn't defined.

Remediation

Update a trail to use a KMS key.

Steps

  1. Sign in to the AWS Management Console and open the CloudTrail console.
  2. Choose Trails and select a trail name.
  3. In General details, choose Edit.
  4. Enable Log file SSE-KMS encryption and select or specify a KMS key.
  5. Update the trail.

Compliance

PCI DSSCISNISTISO 27001
Start Your Free Security Check