Note: for support questions, please first reference our documentation, then use Stackoverflow. This repository's issues are intended for feature requests and bug reports.
I'm submitting a ...
[ ] :beetle: bug report
[X] :rocket: feature request
[ ] :books: construct library gap
[ ] :phone: security issue or vulnerability => Please see policy
[ ] :question: support request => Please see note at the top of this template.
What is the current behavior?
Currently if you create a CloudTrail
const cloudTrail = new CloudTrail(this, 'MyTrail');
It automaticly creates a bucket , which is also Unecrytped.
const s3bucket = new s3.Bucket(this, 'S3', {encryption: s3.BucketEncryption.UNENCRYPTED});
What is the expected behavior (or behavior of feature suggested)?
An option to pass in an existing Bucket class, this will give greater flexibility and allow user to control policy and encryption.
And change the default bucket creation encryption policy to use
encryption: s3.BucketEncryption.S3_MANAGED
What is the motivation / use case for changing the behavior or adding this feature?
1) In an enterprise , CloudTrail logs to central logging , even cross account
2) The "CIS AWS Foundations controls" (found under Security Hub)
2.7 Ensure CloudTrail logs are encrypted at rest using KMS CMKs
https://d1.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf
AWS Key Management Service (KMS) is a managed service that helps create and control the encryption keys used to encrypt account data, and uses Hardware Security Modules (HSMs) to protect the security of encryption keys. CloudTrail logs can be configured to leverage server side encryption (SSE) and KMS customer created master keys (CMK) to further protect CloudTrail logs. It is recommended that CloudTrail be configured to use SSE-KMS.
3) Well-Architected Framework
https://d1.awsstatic.com/whitepapers/architecture/AWS-Security-Pillar.pdf
Please tell us about your environment:
CDK CLI Version: 1.3.0
Module Version: xx.xx.xx
OS: [all ]
Language: [all]
Other information (e.g. detailed explanation, stacktraces, related issues, suggestions how to fix, links for us to have context, eg. associated pull-request, stackoverflow, gitter, etc)
Note: for support questions, please first reference our documentation, then use Stackoverflow. This repository's issues are intended for feature requests and bug reports.
I'm submitting a ...
What is the current behavior? Currently if you create a CloudTrail
const cloudTrail = new CloudTrail(this, 'MyTrail');
It automaticly creates a bucket , which is also Unecrytped.const s3bucket = new s3.Bucket(this, 'S3', {encryption: s3.BucketEncryption.UNENCRYPTED});
What is the expected behavior (or behavior of feature suggested)? An option to pass in an existing Bucket class, this will give greater flexibility and allow user to control policy and encryption. And change the default bucket creation encryption policy to use
encryption: s3.BucketEncryption.S3_MANAGED
What is the motivation / use case for changing the behavior or adding this feature? 1) In an enterprise , CloudTrail logs to central logging , even cross account 2) The "CIS AWS Foundations controls" (found under Security Hub) 2.7 Ensure CloudTrail logs are encrypted at rest using KMS CMKs https://d1.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf
Please tell us about your environment:
Other information (e.g. detailed explanation, stacktraces, related issues, suggestions how to fix, links for us to have context, eg. associated pull-request, stackoverflow, gitter, etc)