MEDIUM CloudTrail · CIS 3.5

CloudTrail KMS encryption

Check ID: aws-ct-005

AWS-CT-005 is an AWS security check performed by cloud-audit, an open-source AWS security scanner. Checks if CloudTrail logs are encrypted with a KMS Customer Managed Key (CMK). Without KMS encryption, logs use SSE-S3 default encryption which offers less control over key management.

Why it matters

SSE-S3 encryption is managed entirely by AWS with no customer control over key access, rotation, or revocation. With KMS CMK encryption, you control who can decrypt CloudTrail logs through KMS key policies, you get CloudTrail events for every decryption attempt, and you can revoke access instantly by disabling the key. This separation of duties means that even an IAM admin who can access the S3 bucket cannot read the logs without also having KMS decrypt permissions. During incident response, KMS encryption provides an additional audit trail showing exactly who decrypted which log files and when, which is critical for regulatory investigations under GDPR, HIPAA, and PCI-DSS.

Common causes

CloudTrail defaults to SSE-S3 encryption when no KMS key is specified, so teams get encryption at rest without realizing they lack key management controls. Setting up a KMS key requires cross-service IAM permissions (CloudTrail needs to call KMS, and the KMS key policy needs to allow CloudTrail), which adds complexity that is often deferred. Organizations running multiple accounts via AWS Organizations sometimes skip per-account KMS keys to simplify the architecture.

Detection

Run cloud-audit to detect this issue:

pip install cloud-audit
cloud-audit scan -R

The -R flag includes remediation details for every finding, including this one.

Remediation: AWS CLI

aws cloudtrail update-trail --name TRAIL_NAME --kms-key-id arn:aws:kms:REGION:ACCOUNT:key/KEY_ID

Remediation: Terraform

resource "aws_cloudtrail" "main" {
  # ...
  kms_key_id = aws_kms_key.cloudtrail.arn
}

Compliance mapping

This check maps to CIS 3.5 in the CIS AWS Foundations Benchmark. The CIS Benchmark provides prescriptive guidance for configuring security options for a subset of AWS services.

This check is part of cloud-audit - install with pip install cloud-audit

Related article

CIS AWS v3.0 in 60 Seconds: Automate Compliance with Terraform →

Related CloudTrail checks

CRITICAL aws-ct-001

CloudTrail enabled

HIGH aws-ct-002

CloudTrail log validation

CRITICAL aws-ct-003

CloudTrail S3 bucket public access

← All checks