I little confused about the statements regarding CloudTrail logs being encrypted by default or do you have to choose a tick box at CloudTrail Logs setup? In the video you choose not to encrypt the log files at Setup , and then when you created some files you showed that they were encrypted and then you went on to say they were encrypted by default. Could you please explain as I am confused!
By default SSE-S3 is used, but you can specify a KMS key if you want more control the permissions. Explained more here: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/encrypting-cloudtrail-log-files-with-aws-kms.html
In the Video go to 6:56 where he reviews Security on the Bucket and dives down into a CT file where he says "it’s encrypted by default"! Pretty straight forward: By default, CloudTrail event log files are encrypted using Amazon S3 server-side encryption (SSE). You can also choose to encrypt your log files with an AWS Key Management Service (AWS KMS) key.