CloudTrail Lake event data stores should be encrypted with customer managed AWS KMS keys
Description
This control checks whether an AWS CloudTrail Lake event data store is encrypted at rest with a customer managed AWS KMS key. The control fails if the event data store isn't encrypted with a customer managed KMS key. By default, AWS CloudTrail Lake encrypts event data stores with Amazon S3 managed keys (SSE-S3), using an AES-256 algorithm. For additional control, you can configure CloudTrail Lake to encrypt an event data store with a customer managed AWS KMS key (SSE-KMS) instead. A customer managed KMS key is an AWS KMS key that you create, own, and manage in your AWS account. You have full control over this type of KMS key. This includes defining and maintaining the key policy, managing grants, rotating cryptographic material, assigning tags, creating aliases, and enabling and disabling the key. You can use a customer managed KMS key in cryptographic operations for your CloudTrail data and audit usage with CloudTrail logs.
Remediation
Configure your CloudTrail Lake event data store to use a customer managed KMS key for encryption instead of the default S3 managed keys.
Steps
- Navigate to the CloudTrail console
- Go to the CloudTrail Lake section
- Select the event data store that needs KMS encryption
- Edit the event data store configuration
- In the encryption settings, select 'Customer managed key'
- Choose or create a customer managed KMS key
- Save the configuration changes
- Verify that the event data store is now encrypted with the customer managed KMS key