Encrypting CloudTrail Logs in AWS
Question
You have enabled CloudTrail logs for your company's AWS account.
In addition, the IT Security department has mentioned that the logs need to be encrypted.
How can this be achieved?
Answers
Explanations
Click on the arrows to vote for the correct answer
A. B. C. D.Answer: B.
Option B is CORRECT because, by default, AWS CloudTrail event log files are encrypted using Amazon S3 server-side encryption (SSE)
You can also define Amazon S3 lifecycle rules to archive or delete log files automatically.
If you want notifications about log file delivery and validation, you can set up Amazon SNS notifications.
Options A, C and D are incorrect because AWS CloudTrail logs are encrypted by default and there is no need for additional configurations.
For more information on how Cloudtrail works, please visit the following URL:
https://docs.aws.amazon.com/awscloudtrail/latest/userguide/how-cloudtrail-works.htmlThe correct answer to this question is Option D: Enable Server side encryption for the destination S3 bucket.
When you enable AWS CloudTrail for an AWS account, it records all the API calls made in that account and delivers them to an Amazon S3 bucket or a CloudWatch Logs log group that you specify. By default, the logs are stored in an S3 bucket in the same AWS account as the one being monitored.
To encrypt CloudTrail logs, you must enable server-side encryption (SSE) for the S3 bucket where the logs are being delivered. SSE encrypts the objects in an S3 bucket using encryption keys managed by AWS. There are three types of SSE: SSE-S3, SSE-KMS, and SSE-C.
SSE-S3 automatically encrypts objects when they are written to an S3 bucket, and decrypts them when they are read. SSE-S3 uses S3-managed encryption keys, which AWS rotates on a regular basis to improve security. SSE-S3 is the easiest way to enable encryption for S3 buckets and is recommended unless you have specific regulatory or compliance requirements.
SSE-KMS uses AWS Key Management Service (KMS) to manage the encryption keys used to encrypt objects in an S3 bucket. SSE-KMS provides additional features, such as audit trails and fine-grained access controls, that are not available with SSE-S3. SSE-KMS is recommended for customers who require more control over encryption key management.
SSE-C allows you to use your own encryption keys to encrypt objects in an S3 bucket. SSE-C is useful for customers who want to manage their own encryption keys and have existing key management systems in place.
In summary, to encrypt CloudTrail logs, you should enable server-side encryption for the S3 bucket where the logs are being delivered. SSE-S3 is the easiest option and is recommended unless you have specific regulatory or compliance requirements that require using SSE-KMS or SSE-C.
