Enable VPC flow logs: 81% of VPCs do not have VPC flow logging enabled, which will hinder incident response and investigations.
Encrypt CloudTrail logs at rest:91% of CloudTrail logs are not encrypted at rest.Encryption at rest supports data compliance controls and is easy to do.
Ensure S3 bucket access logging is enabled for CloudTrail buckets:41% of CloudTrail buckets do not have server access logging enabled.Logging should be enabled for all CloudTrail S3 buckets.
Ensure CloudTrail logs are integrated with CloudWatch or a SIEM:54% of CloudTrails are not integrated with CloudWatch. These should be reviewed to ensure they are integrated with a production log search service or SIEM.
If your AWS accounts fall into these categories, we'd like to understand more about whether costs, security risk of assets, alternative controls/products, or other factors play into these controls from the CIS benchmark?
As an example, although encryption at rest using AWS managed keys may not buy a lot from a security-viewpoint, it does from a compliance viewpoint. If the cost is free to negligible, what prevents an organization from encrypting CloudTrail logs at rest on the respective S3 bucket?