| Plugin Title | CloudTrail Encryption |
| Cloud | AWS |
| Category | CloudTrail |
| Description | Ensures CloudTrail encryption at rest is enabled for logs. |
| More Info | CloudTrail log files contain sensitive information about an account and should be encrypted at rest for additional protection. |
| AWS Link | http://docs.aws.amazon.com/awscloudtrail/latest/userguide/encrypting-cloudtrail-log-files-with-aws-kms.html |
| Recommended Action | Enable CloudTrail log encryption through the CloudTrail console or API. |
- Log in to the AWS Management Console.
- Select the "Services" option and search for "CloudTrail".
- In the "Dashboard" panel click on the desired trail from the list under "Trails" to get to its configuration page.
- Click on "Edit" button under "General details".
- On the Edit Trail page scroll down and check for "Log file SSE-KMS encryption". If its status is not selected as "Enabled" then the selected trail does not support log encryption.
- Select the checkbox to change the status as "Enabled" under "Log file SSE-KMS encryption" to enable the "CloudTrail" log encryption.
- If you do not have an existing KMS key then under "Customer managed AWS KMS key" option select "New" and enter a name for "AWS KMS alias". Make sure KMS key and S3 bucket must be in the same region.
- If you already have a "KMS key" available then under "Customer managed AWS KMS key" option select "Existing" and click to choose an existing key under "AWS KMS alias".
.
- Scroll down and click on "Save changes" to enable the CloudTrail log encryption.
