I will cover the full extent of the different S3 encryption options, in addition to how KMS works, in Chapter 16, Managing Key Infrastructure. However, at this stage, all we need to be concerned with is that it's possible to encrypt our CloudTrail log files using either an existing or new KMS key. This is a very easy feature to enable as it's simply a checkbox and a KMS key selection:
By doing so, all of your CloudTrail log data at rest will be encrypted unless you have access to the kms:decrypt action for the selected KMS key, in addition to access to the S3 bucket where your logs are stored. Adding this level of encryption ensures that only someone with access to decrypt the file can access the sensitive information that can be found within your log files. Due to the amount of information that can be contained in your CloudTrail log files, you will want to restrict access to them as much as possible, and this level of restriction...