I little confused about the statements regarding CloudTrail logs being encrypted by default or do you have to choose a tick box at CloudTrail Logs setup? In the video you choose not to encrypt the log files at Setup , and then when you created some files you showed that they were encrypted and then you went on to say they were encrypted by default. Could you please explain as I am confused!
2 Answers
By default SSE-S3 is used, but you can specify a KMS key if you want more control the permissions. Explained more here: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/encrypting-cloudtrail-log-files-with-aws-kms.html
In the Video go to 6:56 where he reviews Security on the Bucket and dives down into a CT file where he says "it’s encrypted by default"! Pretty straight forward: By default, CloudTrail event log files are encrypted using Amazon S3 server-side encryption (SSE). You can also choose to encrypt your log files with an AWS Key Management Service (AWS KMS) key.
Is data encrypted also in transit?
This should be outlined a bit clearer in the course as it is an exam question which from the demo contradicts the "out of the box" encryption settings as per your link
In the Create Trail->Advanced section, there is an option to Encrypt log files and the default setting is "No". The information pop-up says that "To access encrypted log files, you must have decrypt permission on the specified KMS key" So, does it mean that CloudTrail logs are always encrypted by default using SSE-S3 and this corresponds to the "No" option?