AWS Security Hub - Detect CloudTrail trails lacking KMS encryption
| Id | 9c2f6c3b-7fd8-4c5a-9d9d-3c4f9e6a7b21 |
| Rulename | AWS Security Hub - Detect CloudTrail trails lacking KMS encryption |
| Description | This query detects AWS CloudTrail trails that are not configured to use server-side encryption with a customer managed KMS key using AWS Security Hub control CloudTrail.2 findings. Unencrypted CloudTrail logs increase the risk of unauthorized access to sensitive audit data at rest. |
| Severity | Medium |
| Tactics | Impact DefenseEvasion |
| Techniques | T1565.001 T1562.008 |
| Required data connectors | AWSSecurityHub |
| Kind | Scheduled |
| Query frequency | 1h |
| Query period | 1h |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AWS Security Hub/Analytic Rules/CloudTrailTrailEncryptionDisabled.yaml |
| Version | 1.0.0 |
| Arm template | 9c2f6c3b-7fd8-4c5a-9d9d-3c4f9e6a7b21.json |
AWSSecurityHubFindings
| where RecordState == "ACTIVE" and ComplianceStatus == "FAILED"
| where tostring(AwsSecurityFindingGeneratorId) == "security-control/CloudTrail.2"
or tostring(ComplianceSecurityControlId) == "CloudTrail.2"
| mv-expand Resource = Resources
| where tostring(Resource.Type) == "AwsCloudTrailTrail"
| extend TrailId = tostring(Resource.Id)
| summarize TimeGenerated = max(TimeGenerated)
by AwsAccountId, AwsRegion, AwsSecurityFindingTitle, AwsSecurityFindingDescription,
AwsSecurityFindingId, ComplianceSecurityControlId, TrailId
status: Available
query: |
AWSSecurityHubFindings
| where RecordState == "ACTIVE" and ComplianceStatus == "FAILED"
| where tostring(AwsSecurityFindingGeneratorId) == "security-control/CloudTrail.2"
or tostring(ComplianceSecurityControlId) == "CloudTrail.2"
| mv-expand Resource = Resources
| where tostring(Resource.Type) == "AwsCloudTrailTrail"
| extend TrailId = tostring(Resource.Id)
| summarize TimeGenerated = max(TimeGenerated)
by AwsAccountId, AwsRegion, AwsSecurityFindingTitle, AwsSecurityFindingDescription,
AwsSecurityFindingId, ComplianceSecurityControlId, TrailId
version: 1.0.0
name: AWS Security Hub - Detect CloudTrail trails lacking KMS encryption
queryPeriod: 1h
kind: Scheduled
id: 9c2f6c3b-7fd8-4c5a-9d9d-3c4f9e6a7b21
customDetails:
Region: AwsRegion
FindingId: AwsSecurityFindingId
ComplianceControlId: ComplianceSecurityControlId
triggerOperator: gt
relevantTechniques:
- T1565.001
- T1562.008
tactics:
- Impact
- DefenseEvasion
severity: Medium
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AWS Security Hub/Analytic Rules/CloudTrailTrailEncryptionDisabled.yaml
queryFrequency: 1h
entityMappings:
- fieldMappings:
- columnName: AwsAccountId
identifier: Name
- columnName: AwsAccountId
identifier: CloudAppAccountId
entityType: Account
- fieldMappings:
- columnName: TrailId
identifier: Name
entityType: CloudApplication
tags:
- CIS AWS Foundations Benchmark v1.4.0
- CIS AWS Foundations Benchmark v1.2.0
- NIST 800-53 r5
- PCI DSS v3.2.1
requiredDataConnectors:
- dataTypes:
- AWSSecurityHubFindings
connectorId: AWSSecurityHub
alertDetailsOverride:
alertDisplayNameFormat: AWS CloudTrail trail {{TrailId}} lacks KMS encryption
alertDescriptionFormat: AWS CloudTrail trail ({{TrailId}}) lacks customer-managed KMS encryption for Account {{AwsAccountId}}.
description: |
This query detects AWS CloudTrail trails that are not configured to use server-side encryption with a customer managed KMS key using AWS Security Hub control CloudTrail.2 findings.
Unencrypted CloudTrail logs increase the risk of unauthorized access to sensitive audit data at rest.