Rule: Log Group Encryption at Rest Should Be Enabled
Ensure that encryption at rest is enabled for log groups to enhance data security and compliance.
| Rule | Log group encryption at rest should be enabled |
| Framework | CISA-cyber-essentials |
| Severity | ✔ High |
Log Group Encryption at Rest with AWS KMS for CISA-Cyber-Essentials Compliance
Overview of the Rule
The CISA Cyber Essentials Toolkit emphasizes the protection of sensitive data, which includes ensuring that logs, a critical asset for monitoring and troubleshooting, are secured. Encrypting log groups at rest enhances security by protecting log data from unauthorized access. Enabling encryption with AWS Key Management Service (KMS) keys provides control and auditing capabilities over the use of encryption keys.
AWS Services Involved
- Amazon CloudWatch Logs
- AWS Key Management Service (KMS)
Troubleshooting Steps
If you encounter issues where log group encryption is not enabled, follow these steps to troubleshoot and resolve the problem:
- 1.Identify Unencrypted Log Groups
- 2.Verify KMS Key Policy and IAM Permissions
- 3.Review CloudWatch Logs Resource Policies
1. Identify Unencrypted Log Groups
Use the AWS CLI or AWS Management Console to check the encryption status of your log groups. A log group without KMS key ID is unencrypted.
AWS CLI command to list all the log groups and their encryption status:
aws logs describe-log-groups --query 'logGroups[?not(kmsKeyId)]' --output table
2. Verify KMS Key Policy and IAM Permissions
Make sure that the KMS key policy allows the necessary permissions for CloudWatch Logs to use the key for encryption. Additionally, check that the IAM role or user has the required permissions to assign KMS keys.
3. Review CloudWatch Logs Resource Policies
Ensure that there is no resource policy attached to the log group that might prevent the utilization of KMS encryption.
Enabling Encryption for Amazon CloudWatch Log Groups
Follow the step-by-step guide to enable encryption for your Amazon CloudWatch Log Groups:
Step 1: Create a KMS Key
If you don't already have a KMS key, create one using the AWS Management Console or AWS CLI.
AWS CLI command to create a new KMS key:
aws kms create-key --description "Key for CloudWatch Logs encryption"
Take note of the returned Key ID.
Step 2: Assign KMS Key to Log Groups
For each log group, assign the KMS key in order to enable encryption at rest.
AWS CLI command to encrypt an existing log group:
aws logs associate-kms-key --log-group-name "YourLogGroupName" --kms-key-id "YourKmsKeyId"
Replace
YourLogGroupNameYourKmsKeyIdStep 3: Confirm Encryption
Verify that the log group is now encrypted with the KMS key.
AWS CLI command to describe a log group:
aws logs describe-log-groups --log-group-name-prefix "YourLogGroupName" --query 'logGroups[?kmsKeyId]` --output table
Final Notes on Compliance
Ensure all CloudWatch log groups are encrypted with a KMS key, and continuously monitor for compliance. Automate the process using AWS Config rules or Lambda functions to enforce and report on encryption standards periodically.
By following these guidelines, you will not only adhere to CISA Cyber Essentials but also establish a sound security practice for log management, thus enhancing your data protection and complying with relevant regulations.