Key Management Errors
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-320: CWE CATEGORY: Key Management Errors |
| OWASP | A03:2017 - Sensitive Data Exposure |
| Confidence Level | Low |
| Impact Level | Low |
| Likelihood Level | Low |
Description#
The CloudTrail resource is not configured to encrypt logs at rest using a customer-managed KMS key (CMK). This means sensitive log data is stored without strong, customizable encryption controls.
Impact#
If CloudTrail logs are not encrypted with a customer-managed KMS key, unauthorized users with access to the storage location could potentially read sensitive activity logs. This increases the risk of data exposure and limits your ability to control key rotation, access, and auditing, potentially leading to compliance issues.