AWSConfigRemediation-EnableCloudTrailEncryptionWithKMS
Description
The
AWSConfigRemediation-EnableCloudTrailEncryptionWithKMS
runbook
encrypts an Amazon CloudTrail (CloudTrail) trail using the Amazon Key Management Service (Amazon KMS) customer managed key you
specify. This runbook should only be used as a baseline to ensure that your CloudTrail
trails are encrypted according to minimum recommended security best practices. We
recommend encrypting multiple trails with different KMS keys. CloudTrail digest files
are not encrypted. If you have previously set the
EnableLogFileValidation
parameter to
true
for the
trail, see the "Use server-side encryption with Amazon KMS managed keys" section of the
CloudTrail Preventative Security Best Practices
topic in the
Amazon CloudTrail User Guide
for more information.
Document type
Automation
Owner
Amazon
Platforms
Linux, macOS, Windows
Parameters
-
AutomationAssumeRole
Type: String
Allowed values: ^arn:(?:aws|aws-us-gov|aws-cn):iam::\d{12}:role\/[\w+=,.@/-]+$
Description: (Required) The Amazon Resource Name (ARN) of the Amazon Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf.
-
KMSKeyId
Type: String
Description: (Required) The ARN, key ID, or the key alias of the of the customer managed key you want to use to encrypt the trail you specify in the
TrailNameparameter. -
TrailName
Type: String
Description: (Required) The ARN or name of the trail you want to update to be encrypted.
Required IAM permissions
The AutomationAssumeRole parameter requires the following actions to
successfully use the runbook.
-
ssm:StartAutomationExecution -
ssm:GetAutomationExecution -
cloudtrail:GetTrail -
cloudtrail:UpdateTrail
Document Steps
-
aws:executeAwsApi- Enables encryption on the trail you specify in theTrailNameparameter. -
aws:executeAwsApi- Gathers the ARN for the customer managed key you specify in theKMSKeyIdparameter. -
aws:assertAwsResourceProperty- Verifies that encryption has been enabled on the CloudTrail trail.