Which of the following is the most efficient way to automate the encryption of AWS CloudTrail logs using a Customer Master Key (CMK) in AWS KMS?
Use the KMS direct encrypt function on the log data every time a CloudTrail log is generated.
Use the default Amazon S3 server-side encryption with S3-managed keys to encrypt and decrypt the CloudTrail logs.
Configure CloudTrail to use server-side encryption using KMS-managed keys to encrypt and decrypt CloudTrail logs.
Use encrypted API endpoints so that all AWS API calls generate encrypted CloudTrail log entries using the TLS certificate from the encrypted API call.
Explanations:
Using the KMS direct encrypt function on the log data for every log generation introduces significant overhead and latency, as encryption operations would need to be performed in real-time for each log entry, which is inefficient and could lead to performance issues.
Using Amazon S3 server-side encryption with S3-managed keys does not provide the level of control or security offered by KMS-managed keys. Additionally, it lacks the ability to use customer-managed keys (CMK) for encryption, which is required for compliance in many scenarios.
Configuring CloudTrail to use server-side encryption with KMS-managed keys is the most efficient and secure method for automating the encryption of CloudTrail logs. This allows for automated key management and integration with AWS KMS, leveraging the benefits of customer-managed keys for enhanced security.
While using encrypted API endpoints ensures that API calls are secure during transmission, it does not automatically encrypt the resulting CloudTrail log entries. The encryption of log data must be handled separately, and this option does not fulfill the requirement of automating the encryption of logs.