Pattern: Cloudtrail should be encrypted at rest to secure access to sensitive trail data
Issue: -
Cloudtrail logs should be encrypted at rest to secure the sensitive data. Cloudtrail logs record all activity that occurs in the the account through API calls and would be one of the first places to look when reacting to a breach.
Resolution: Enable encryption at rest.
Example of incorrect code:
resource "aws_cloudtrail" "bad_example" {
is_multi_region_trail = true
event_selector {
read_write_type = "All"
include_management_events = true
data_resource {
type = "AWS::S3::Object"
values = ["${data.aws_s3_bucket.important-bucket.arn}/"]
}
}
}Example of correct code:
resource "aws_cloudtrail" "good_example" {
is_multi_region_trail = true
enable_log_file_validation = true
kms_key_id = var.kms_id
event_selector {
read_write_type = "All"
include_management_events = true
data_resource {
type = "AWS::S3::Object"
values = ["${data.aws_s3_bucket.important-bucket.arn}/"]
}
}
}