Cloudtrail logs should be encrypted at rest to secure the sensitive data. Cloudtrail logs record all activity that occurs in the the account through API calls and would be one of the first places to look when reacting to a breach.
Data can be freely read if compromised
Enable encryption at rest
The following example will fail the aws-cloudtrail-enable-at-rest-encryption check.
The following example will pass the aws-cloudtrail-enable-at-rest-encryption check.