Encryption best practices for AWS CloudTrail
AWS CloudTrail helps you audit the governance, compliance, and operational and risk of your AWS account.
Consider the following encryption best practices for this service:
-
CloudTrail logs should be encrypted using a customer managed AWS KMS key. Choose a KMS key that is in the same region as the S3 bucket that receives your log files. For more information, see Updating a trail to use your KMS key.
-
As an additional security layer, enable log file validation for trails. This helps you determine whether a log file was modified, deleted, or unchanged after CloudTrail delivered it. For instructions, see Enabling log file integrity validation for CloudTrail.
-
Use interface VPC endpoints to enable CloudTrail to communicate with resources in other VPCs without traversing the public internet. For more information, see Using AWS CloudTrail with interface VPC endpoints.
-
Add an
aws:SourceArn
condition key to the KMS key policy to ensure that CloudTrail uses the KMS key only for a specific trail or trails. For more information, see Configure AWS KMS key policies for CloudTrail. -
In AWS Config, implement the cloud-trail-encryption-enabled AWS managed rule to validate and enforce log file encryption.
-
If CloudTrail is configured to send notifications through Amazon Simple Notification Service (Amazon SNS) topics, add an
aws:SourceArn
(or optionallyaws:SourceAccount
) condition key to the CloudTrail policy statement to prevent unauthorized account access to the SNS topic. For more information, see Amazon SNS topic policy for CloudTrail. -
If you are using AWS Organizations, create an organization trail that logs all events for the AWS accounts in that organization. This includes the management account and all member accounts in the organization. For more information, see Creating a trail for an organization.
-
Create a trail that applies to all AWS Regions
where you store corporate data, to record AWS account activity in those Regions. When AWS launches a new Region, CloudTrail automatically includes the new Region and logs events in that Region.