AWS-012 Amazon Web Services (AWS)

CloudTrail logs are encrypted with a KMS CMK.

CloudTrail logs are encrypted with a KMS CMK.

Domain
Amazon Web Services (AWS)
Area
Logging
Automated / manual
Automated

Risk if it fails

Plain logs may leak sensitive metadata.

Unencrypted logs in storage can be read by anyone who reaches the bucket, exposing internal IPs, user names and activity patterns useful for the next attack.

How Tess tests it

1 test — each concludes only on cited evidence.

CloudTrail logs are encrypted with a KMS CMK.

Automated
Procedure
Confirm KmsKeyId is set on the trail.

Read-only command 

aws cloudtrail describe-trails --query 'trailList[].{Name:Name,KMS:KmsKeyId}'

More in Amazon Web Services (AWS)

AWS-001 Root account MFA is enabled. AWS-002 No access keys exist on the root account. AWS-003 Root account is not used for day-to-day activity. AWS-004 Strong IAM password policy is enforced.

Want Tess to test AWS-012 against your evidence?

Book a demo