Certified Security - Specialty

Sign Up Free or Log In to participate!

CloudTrail Logs encrypted by Default?

I little confused about the statements regarding CloudTrail logs being encrypted by default or do you have to choose a tick box at CloudTrail Logs setup? In the video you choose not to encrypt the log files at Setup , and then when you created some files you showed that they were encrypted and then you went on to say they were encrypted by default. Could you please explain as I am confused!

2 Answers

By default SSE-S3 is used, but you can specify a KMS key if you want more control the permissions. Explained more here: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/encrypting-cloudtrail-log-files-with-aws-kms.html


This should be outlined a bit clearer in the course as it is an exam question which from the demo contradicts the "out of the box" encryption settings as per your link

Apratim Buragohain

In the Create Trail->Advanced section, there is an option to Encrypt log files and the default setting is "No". The information pop-up says that "To access encrypted log files, you must have decrypt permission on the specified KMS key" So, does it mean that CloudTrail logs are always encrypted by default using SSE-S3 and this corresponds to the "No" option?

In the Video go to 6:56 where he reviews Security on the Bucket and dives down into a CT file where he says "it’s encrypted by default"!  Pretty straight forward: By default, CloudTrail event log files are encrypted using Amazon S3 server-side encryption (SSE). You can also choose to encrypt your log files with an AWS Key Management Service (AWS KMS) key.

Jorge Garcia

Is data encrypted also in transit?

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?