CloudTrail.2: CloudTrail logs are not KMS-encrypted

What does AWS Security Hub CloudTrail.2 check?

CloudTrail.2 fails when a trail does not encrypt its log files with SSE-KMS. The default SSE-S3 encryption is not enough to pass — the control wants a KMS key behind the logs.

Why does CloudTrail.2 matter?

One of the first things an intruder with IAM access does is enumerate CloudTrail — what's the trail, which bucket, can I read or tamper with the logs? SSE-S3 lets any principal with bucket access read them silently. SSE-KMS adds a second authorisation layer: reading the logs now requires a kms:Decrypt grant, and a denied attempt lights up the SOC instead of passing unnoticed.

How do I fix CloudTrail.2?

1. Provision a dedicated CMK with a key policy that admits only the principals who genuinely need to read audit logs.
2. Grant CloudTrail permission to use the key for encryption in the key policy.
3. Flip the trail to SSE-KMS by setting the KMS key ID via update-trail.
4. Confirm new log files are delivered and decryptable by authorised readers only.

# Stop the irreversible clock first: cancel any scheduled deletion, then re-enable.
for k in $(aws kms list-keys --query 'Keys[].KeyId' --output text); do
  state=$(aws kms describe-key --key-id "$k" \
    --query 'KeyMetadata.KeyState' --output text)
  if [ "$state" = "PendingDeletion" ]; then
    aws kms cancel-key-deletion --key-id "$k"
    aws kms enable-key --key-id "$k"   # cancel leaves it Disabled
    echo "$k: deletion cancelled and re-enabled"
  fi
done

# Turn rotation on for eligible customer-managed symmetric keys.
for k in $(aws kms list-keys --query 'Keys[].KeyId' --output text); do
  read -r mgr spec <<<"$(aws kms describe-key --key-id "$k" \
    --query 'KeyMetadata.[KeyManager,KeySpec]' --output text)"
  if [ "$mgr" = "CUSTOMER" ] && [ "$spec" = "SYMMETRIC_DEFAULT" ]; then
    aws kms enable-key-rotation --key-id "$k"
  fi
done