AWS Security ChangesHomeSearch

AWS securityhub documentation change

Service: securityhub · 2025-05-10 · Documentation medium

File: securityhub/latest/userguide/cloudtrail-controls.md

Summary

Added new control [CloudTrail.10] requiring encryption of CloudTrail Lake event data stores with customer managed KMS keys

Security assessment

The change introduces documentation for encrypting CloudTrail Lake data with customer-managed KMS keys, which enhances data-at-rest protection. While it addresses security best practices, there's no explicit evidence of fixing a specific vulnerability.

Diff

diff --git a/securityhub/latest/userguide/cloudtrail-controls.md b/securityhub/latest/userguide/cloudtrail-controls.md
index 9a2927bbf..9a67ed864 100644
--- a//securityhub/latest/userguide/cloudtrail-controls.md
+++ b//securityhub/latest/userguide/cloudtrail-controls.md
@@ -5 +5 @@
-[CloudTrail.1] CloudTrail should be enabled and configured with at least one multi-Region trail that includes read and write management events[CloudTrail.2] CloudTrail should have encryption at-rest enabled[CloudTrail.3] At least one CloudTrail trail should be enabled[CloudTrail.4] CloudTrail log file validation should be enabled[CloudTrail.5] CloudTrail trails should be integrated with Amazon CloudWatch Logs[CloudTrail.6] Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible[CloudTrail.7] Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket[CloudTrail.9] CloudTrail trails should be tagged
+[CloudTrail.1] CloudTrail should be enabled and configured with at least one multi-Region trail that includes read and write management events[CloudTrail.2] CloudTrail should have encryption at-rest enabled[CloudTrail.3] At least one CloudTrail trail should be enabled[CloudTrail.4] CloudTrail log file validation should be enabled[CloudTrail.5] CloudTrail trails should be integrated with Amazon CloudWatch Logs[CloudTrail.6] Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible[CloudTrail.7] Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket[CloudTrail.9] CloudTrail trails should be tagged[CloudTrail.10] CloudTrail Lake event data stores should be encrypted with customer managed AWS KMS keys
@@ -283,0 +284,28 @@ To add tags to a CloudTrail trail, see [AddTags](https://docs.aws.amazon.com/aws
+## [CloudTrail.10] CloudTrail Lake event data stores should be encrypted with customer managed AWS KMS keys
+
+**Related requirements:** NIST.800-53.r5 AU-9, NIST.800-53.r5 CA-9(1), NIST.800-53.r5 CM-3(6), NIST.800-53.r5 SC-7(10), NIST.800-53.r5 SC-12(2), NIST.800-53.r5 SC-13, NIST.800-53.r5 SC-28, NIST.800-53.r5 SC-28(1), NIST.800-53.r5 SI-7(6)
+
+**Category:** Protect > Data Protection > Encryption of data-at-rest
+
+**Severity:** Medium
+
+**Resource type:** `AWS::CloudTrail::EventDataStore`
+
+**AWS Config rule:** [event-data-store-cmk-encryption-enabled](https://docs.aws.amazon.com/config/latest/developerguide/event-data-store-cmk-encryption-enabled.html)
+
+**Schedule type:** Periodic
+
+**Parameters:**
+
+Parameter | Description | Type | Allowed custom values | Security Hub default value  
+---|---|---|---|---  
+`kmsKeyArns` |  A list of Amazon Resource Names (ARNs) of AWS KMS keys to include in the evaluation. The control generates a `FAILED` finding if an event data store isn't encrypted with a KMS key in the list. |  StringList (maximum of 3 items) |  1–3 ARNs of existing KMS keys. For example: `arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`. |  No default value  
+  
+This control checks whether an AWS CloudTrail Lake event data store is encrypted at rest with a customer managed AWS KMS key. The control fails if the event data store isn't encrypted with a customer managed KMS key. You can optionally specify a list of KMS keys for the control to include in the evaluation.
+
+By default, AWS CloudTrail Lake encrypts event data stores with Amazon S3 managed keys (SSE-S3), using an AES-256 algorithm. For additional control, you can configure CloudTrail Lake to encrypt an event data store with a customer managed AWS KMS key (SSE-KMS) instead. A customer managed KMS key is an AWS KMS key that you create, own, and manage in your AWS account. You have full control over this type of KMS key. This includes defining and maintaining the key policy, managing grants, rotating cryptographic material, assigning tags, creating aliases, and enabling and disabling the key. You can use a customer managed KMS key in cryptographic operations for your CloudTrail data and audit usage with CloudTrail logs.
+
+### Remediation
+
+For information about encrypting an AWS CloudTrail Lake event data store with an AWS KMS key that you specify, see [Update an event data store](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/query-event-data-store-update.html) in the _AWS CloudTrail User Guide_. After you associate an event data store with a KMS key, the KMS key can't be removed or changed.
+