{"id":"cloudtrail-sse-kms-enabled-by-default","text":"CloudTrail trail log file encryption uses SSE-KMS by default (not SSE-S3) when creating a trail.","truth_value":"IN","source":"entries/2026/03/12/awscloudtrail-latest-userguide-cloudtrail-create-a-trail-using-the-console-first.md","source_url":"","source_hash":"7f20607408e6098d","justifications":[],"dependents":[],"metadata":{},"explanation":{"steps":[{"node":"cloudtrail-sse-kms-enabled-by-default","truth_value":"IN","reason":"premise"}]}}