Patch 418 (#440)

* Update cloudtrail-encryption.md * Images updated * Update cloudtrail-encryption.md Updated step 3 * Update cloudtrail-encryption.md * Update cloudtrail-encryption.md * Image updated for step 4 * Update cloudtrail-encryption.md * Image updated for step 5 * Updated image for step 6 * Update cloudtrail-encryption.md * Update cloudtrail-encryption.md * Update cloudtrail-encryption.md * Update cloudtrail-encryption.md * Update cloudtrail-encryption.md * Updated images for steps 7, 8 & 9 * Apply suggestions from code review * Update en/aws/cloudtrail/cloudtrail-encryption.md Co-authored-by: alphadev4 <[email protected]>
aquasecurity · Nov 2, 2022 · dca79a3 · dca79a3
1 parent 33fa0e9
commit dca79a3
Show file tree

Hide file tree

Showing 9 changed files with 11 additions and 10 deletions.
diff --git a/en/aws/cloudtrail/cloudtrail-encryption.md b/en/aws/cloudtrail/cloudtrail-encryption.md
@@ -9,18 +9,19 @@
 | **Plugin Title** | CloudTrail Encryption |
 | **Cloud** | AWS |
 | **Category** | CloudTrail |
-| **Description** | Ensures CloudTrail encryption at rest is enabled for logs |
+| **Description** | Ensures CloudTrail encryption at rest is enabled for logs. |
 | **More Info** | CloudTrail log files contain sensitive information about an account and should be encrypted at rest for additional protection. |
 | **AWS Link** | http://docs.aws.amazon.com/awscloudtrail/latest/userguide/encrypting-cloudtrail-log-files-with-aws-kms.html |
-| **Recommended Action** | Enable CloudTrail log encryption through the CloudTrail console or API |
+| **Recommended Action** | Enable CloudTrail log encryption through the CloudTrail console or API. |
 
 ## Detailed Remediation Steps
-1. Log into the AWS Management Console.
+1. Log in to the AWS Management Console.
 2. Select the "Services" option and search for "CloudTrail".</br><img src="/resources/aws/cloudtrail/cloudtrail-encryption/step2.png"/>
-3. In the "Dashboard" panel click on "View trails" button.</br> <img src="/resources/aws/cloudtrail/cloudtrail-encryption/step3.png"/>
-4. Select the "trail" that needs to be verified under "Name" column.</br><img src="/resources/aws/cloudtrail/cloudtrail-encryption/step4.png"/>
-5. Scroll down and under the "Storage location" option check for "Encrypt log files with SSE-KMS". If its status is "No" the selected trail does not support log encryption.</br><img src="/resources/aws/cloudtrail/cloudtrail-encryption/step5.png"/>
-6. Click on the pencil icon to get into "Storage location" configuration settings. Scroll down and click on "Yes" next to "Encrypt log files with SSE-KMS" to enable the "CloudTrail" log encryption. </br> <img src="/resources/aws/cloudtrail/cloudtrail-encryption/step6.png"/>
-7. Click on the "Yes" option next to "Create a new KMS key" and enter a name. Make sure KMS key and S3 bucket must be in the same region.</br><img src="/resources/aws/cloudtrail/cloudtrail-encryption/step7.png"/>
-8. Click on "No" option next to "Create a new KMS key" if already have "KMS key" available.</br><img src="/resources/aws/cloudtrail/cloudtrail-encryption/step8.png"/>
-9. Scroll down and click on "Save" to enable the CloudTrail log encryption.</br><img src="/resources/aws/cloudtrail/cloudtrail-encryption/step9.png"/>
+3. In the "Dashboard" panel click on the desired trail from the list under "Trails" to get to its configuration page.</br> <img src="/resources/aws/cloudtrail/cloudtrail-encryption/step3.png"/>
+4. Click on "Edit" button under "General details".</br><img src="/resources/aws/cloudtrail/cloudtrail-encryption/step4.png"/>
+5. On the Edit Trail page scroll down and check for "Log file SSE-KMS encryption". If its status is not selected as "Enabled" then the selected trail does not support log encryption.</br><img src="/resources/aws/cloudtrail/cloudtrail-encryption/step5.png"/>
+6. Select the checkbox to change the status as "Enabled" under "Log file SSE-KMS encryption" to enable the "CloudTrail" log encryption. </br> <img src="/resources/aws/cloudtrail/cloudtrail-encryption/step6.png"/>
+7. If you do not have an existing KMS key then under "Customer managed AWS KMS key" option select "New" and enter a name for "AWS KMS alias". Make sure KMS key and S3 bucket must be in the same region.</br><img src="/resources/aws/cloudtrail/cloudtrail-encryption/step7.png"/>
+8. If you already have a "KMS key" available then under "Customer managed AWS KMS key" option select "Existing" and click to choose an existing key under "AWS KMS alias".
+.</br><img src="/resources/aws/cloudtrail/cloudtrail-encryption/step8.png"/>
+9. Scroll down and click on "Save changes" to enable the CloudTrail log encryption.</br><img src="/resources/aws/cloudtrail/cloudtrail-encryption/step9.png"/>
diff --git a/resources/aws/cloudtrail/cloudtrail-encryption/step2.png b/resources/aws/cloudtrail/cloudtrail-encryption/step2.png
diff --git a/resources/aws/cloudtrail/cloudtrail-encryption/step3.png b/resources/aws/cloudtrail/cloudtrail-encryption/step3.png
diff --git a/resources/aws/cloudtrail/cloudtrail-encryption/step4.png b/resources/aws/cloudtrail/cloudtrail-encryption/step4.png
diff --git a/resources/aws/cloudtrail/cloudtrail-encryption/step5.png b/resources/aws/cloudtrail/cloudtrail-encryption/step5.png
diff --git a/resources/aws/cloudtrail/cloudtrail-encryption/step6.png b/resources/aws/cloudtrail/cloudtrail-encryption/step6.png
diff --git a/resources/aws/cloudtrail/cloudtrail-encryption/step7.png b/resources/aws/cloudtrail/cloudtrail-encryption/step7.png
diff --git a/resources/aws/cloudtrail/cloudtrail-encryption/step8.png b/resources/aws/cloudtrail/cloudtrail-encryption/step8.png
diff --git a/resources/aws/cloudtrail/cloudtrail-encryption/step9.png b/resources/aws/cloudtrail/cloudtrail-encryption/step9.png