Ensure CloudTrail logs are encrypted at rest using KMS CMKs
This rule ensures that CloudTrail logs are encrypted using KMS CMKs for enhanced security
| Rule | Ensure CloudTrail logs are encrypted at rest using KMS CMKs |
| Framework | cis_v130 |
| Severity | ✔ Medium |
Ensure CloudTrail Logs are Encrypted at Rest using KMS CMKs for CIS v1.3.0
CloudTrail is an AWS service that records API calls for your AWS account, delivering log files to an S3 bucket. Encryption at rest is essential to protect sensitive data from unauthorized access and to help meet compliance requirements. For version 1.3.0 of the Center for Internet Security (CIS) AWS Foundations Benchmark, it is recommended to use AWS Key Management Service (KMS) Customer Master Keys (CMKs) to encrypt CloudTrail logs.
Rule Description
CloudTrail logs should be encrypted using KMS CMKs to ensure that sensitive information is secured. Unlike the default SSE-KMS encryption, using a CMK provides enhanced security features such as:
- Audit capability for key usage
- Fine-grained access control
- The ability to disable and revoke keys
According to CIS v1.3.0, the recommended practice is to configure CloudTrail to use KMS CMKs instead of the default encryption.
Troubleshooting Steps
If CloudTrail logs aren't encrypted with KMS CMKs, follow these steps to identify and remediate the issue:
- 1.
Identify Unencrypted CloudTrail Logs: Use the AWS Management Console or AWS CLI to list all CloudTrail trails and their status with respect to KMS CMK encryption.
- 2.
Verify Encryption for Each Trail: Check the encryption settings for each trail to confirm if KMS CMKs are used.
- 3.
Assess KMS Key Policies: Ensure the KMS CMK policy allows CloudTrail to use the key to encrypt and decrypt logs.
If the logs are not encrypted with KMS CMKs, proceed to the remediation steps.
Remediation Step by Step Guide
To encrypt CloudTrail logs using KMS CMKs, follow the steps below:
Step 1: Create a New KMS CMK
If you do not have a KMS CMK already, create one:
aws kms create-key --description "CloudTrail KMS CMK" --policy "Key policy JSON"
Step 2: Apply the Key Policy
Attach a policy to the KMS CMK that allows CloudTrail to encrypt and decrypt logs.
aws kms put-key-policy --key-id <key-id> --policy-name default --policy "Key policy JSON"
Replace
<key-id>"Key policy JSON"Step 3: Update CloudTrail to Use the KMS CMK
For each CloudTrail, update the settings to use the KMS CMK for encryption.
aws cloudtrail update-trail --name <trailname> --kms-key-id <key-id>
Replace
<trailname><key-id>AWS CLI Commands
Here's a condensed reference of AWS CLI commands to implement the above steps:
# Create a KMS Customer Master Key aws kms create-key --description "CloudTrail encryption key" # Attach a key policy to the CMK to allow CloudTrail access aws kms put-key-policy --key-id [key-id] --policy-name default --policy file://policy.json # Update the CloudTrail trail to use the KMS CMK aws cloudtrail update-trail --name [your-trail-name] --kms-key-id [key-id]
Conclusion
Applying these configurations helps ensure that your AWS environment aligns with the CIS v1.3.0 benchmark for CloudTrail log encryption. Remember, regular audits and monitoring of the KMS CMKs and CloudTrail configurations are essential to maintain security and compliance.