Ensuring Encryption for CloudTrail Logs on AWS

Achieving Encryption for CloudTrail Logs on AWS

Question

You need to ensure that the CloudTrail logs which are being delivered to your AWS account are encrypted.

How can this be achieved in the easiest way possible?

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Answer: A.

Option A is CORRECT because, by default, the log files delivered by CloudTrail to your bucket are encrypted by Amazon server-side encryption with Amazon S3-managed encryption keys (SSE-S3).

Option B is incorrect because AWS CloudTrail provides encryption by default using S3-SSE.Option C is incorrect because AWS CloudTrail provides encryption by default using S3-SSE, and there is no need for additional encryption using S3-KMS.

Option D is incorrect because AWS CloudTrail provides encryption by default using S3-SSE, and there is no need for additional encryption by enabling KMS on logs sent to CloudWatch.

The question is for CloudTrail logs to S3 instead of CloudWatch logs.

For more information on AWS CloudTrail log encryption, please visit the following URL:

https://docs.aws.amazon.com/awscloudtrail/latest/userguide/encrypting-cloudtrail-log-files-with-aws-kms.html

The correct answer is B. Enable S3-SSE for the underlying bucket which receives the log files.

Explanation:

CloudTrail is a service that logs all API calls made within an AWS account. These logs are important to help with troubleshooting and audit compliance, and as such, they should be protected with encryption to ensure their confidentiality and integrity.

By default, CloudTrail logs are stored in an S3 bucket that is created by CloudTrail. However, this bucket is not encrypted by default. Therefore, you need to take additional steps to ensure that the logs are encrypted.

One option is to enable server-side encryption (SSE) for the S3 bucket. SSE encrypts objects at rest using encryption keys managed by AWS. There are two types of SSE: SSE-S3 and SSE-KMS.

SSE-S3 is the easiest and most cost-effective way to encrypt the CloudTrail logs. SSE-S3 encrypts the objects using a key managed by AWS and is transparent to the user. To enable SSE-S3 for the S3 bucket, you can follow these steps:

  1. Open the S3 console and navigate to the CloudTrail bucket.
  2. Click on the "Properties" tab and scroll down to the "Default encryption" section.
  3. Select "AES-256" as the encryption algorithm.
  4. Click "Save".

Alternatively, you can enable SSE-KMS for the S3 bucket. SSE-KMS allows you to use your own encryption keys, which provides greater control over the encryption process. To enable SSE-KMS for the S3 bucket, you can follow these steps:

  1. Open the S3 console and navigate to the CloudTrail bucket.
  2. Click on the "Properties" tab and scroll down to the "Default encryption" section.
  3. Select "AWS-KMS" as the encryption algorithm.
  4. Choose a KMS key or create a new one.
  5. Click "Save".

Option C, "Enable S3-KMS for the underlying bucket which receives the log files", is incorrect because there is no such thing as "S3-KMS". SSE-KMS can be used to encrypt the S3 bucket, but it is not referred to as "S3-KMS".

Option D, "Enable KMS encryption for the logs which are sent to Cloudwatch", is also incorrect because CloudTrail logs are not sent to CloudWatch by default. CloudTrail logs are stored in an S3 bucket by default, and you need to enable CloudTrail to deliver the logs to CloudWatch if you want to monitor them using CloudWatch. Furthermore, enabling KMS encryption for CloudWatch does not encrypt the CloudTrail logs.