CloudTrail should use Customer managed keys to encrypt the logs
| Property | |
|---|---|
| Language |  |
| Severity |  |
| Service | cloudtrail |
| Provider | AWS |
| Vulnerability Type | omission |
Description#
CloudTrail logs are being encrypted using AWS-managed keys instead of customer-managed keys, which limits the ability to control key policies, permissions, and rotation. This reduces the flexibility and security of sensitive audit log data.
Impact#
Without customer-managed keys, organizations cannot enforce fine-grained access controls or customize key management practices for CloudTrail logs. This increases the risk of unauthorized access to audit trails and may result in non-compliance with security or regulatory requirements.
Resolution#
Use Customer managed key