Skip to main content
emnode / learn
Compliance Medium severity

AWS Security Hub · CloudTrail

CloudTrail.10: CloudTrail Lake stores should use customer-managed KMS

Written and reviewed by Emnode · Last reviewed

What does AWS Security Hub CloudTrail.10 check?

CloudTrail.10 fails when a CloudTrail Lake event data store is encrypted with an AWS-owned key (SSE-S3) rather than a customer-managed KMS key. This is a different resource from the trail log files that CloudTrail.2 covers.

Why does CloudTrail.10 matter?

A CloudTrail Lake event data store is a long-lived, queryable audit record, so it warrants the stronger key model: a customer-managed CMK adds a second authorisation layer and a key policy you control. Without it, anyone with store access reads the audit data with no separate decrypt gate and no SOC signal on attempts.

How do I fix CloudTrail.10?

  1. Find event data stores not bound to a customer-managed KMS key.
  2. Create a CMK and add a key policy that lets CloudTrail write to the store.
  3. Associate the key with the store via update-event-data-store.
  4. Decide the key carefully up front — once set, the encryption key on a store can't be changed for its life.

Remediation script · bash

# Stop the irreversible clock first: cancel any scheduled deletion, then re-enable.
for k in $(aws kms list-keys --query 'Keys[].KeyId' --output text); do
  state=$(aws kms describe-key --key-id "$k" \
    --query 'KeyMetadata.KeyState' --output text)
  if [ "$state" = "PendingDeletion" ]; then
    aws kms cancel-key-deletion --key-id "$k"
    aws kms enable-key --key-id "$k"   # cancel leaves it Disabled
    echo "$k: deletion cancelled and re-enabled"
  fi
done

# Turn rotation on for eligible customer-managed symmetric keys.
for k in $(aws kms list-keys --query 'Keys[].KeyId' --output text); do
  read -r mgr spec <<<"$(aws kms describe-key --key-id "$k" \
    --query 'KeyMetadata.[KeyManager,KeySpec]' --output text)"
  if [ "$mgr" = "CUSTOMER" ] && [ "$spec" = "SYMMETRIC_DEFAULT" ]; then
    aws kms enable-key-rotation --key-id "$k"
  fi
done

Full walkthrough (console steps, edge cases and verification) in the lesson Manage KMS encryption keys.

Is CloudTrail.10 a false positive?

This is a one-way door: the KMS binding is deliberately immutable, unlike most AWS encryption settings you can re-key by copying data — so bind to a durable, well-governed key, not a personal one.

Full lesson Manage KMS encryption keys Step-by-step remediation with CLI, code and persona-specific context.
AWS documentation for CloudTrail controls ↗ Check your own account for CloudTrail.10 →
Part of the learning path Lock down access

More CloudTrail controls

  • CloudTrail.1 No multi-Region trail captures read/write management events
  • CloudTrail.2 CloudTrail logs are not KMS-encrypted
  • CloudTrail.3 No CloudTrail trail is enabled at all
  • CloudTrail.4 CloudTrail log file validation should be enabled
  • CloudTrail.5 CloudTrail is not wired to CloudWatch for alerting
  • CloudTrail.6 The CloudTrail log bucket is publicly accessible
  • CloudTrail.7 Enable access logging on the CloudTrail S3 bucket