Rule: CloudTrail Trail Logs Encrypted with KMS CMK
This rule ensures that CloudTrail trail logs are encrypted with KMS CMK for added security measures.
| Rule | CloudTrail trail logs should be encrypted with KMS CMK |
| Framework | General Data Protection Regulation (GDPR) |
| Severity | ✔ Critical |
Rule Description:
CloudTrail trail logs should be encrypted with a Key Management Service (KMS) Customer Master Key (CMK) for compliance with the General Data Protection Regulation (GDPR). Encrypting the trail logs ensures that sensitive information contained within the logs is protected and in accordance with GDPR requirements.
Troubleshooting Steps:
If the CloudTrail trail logs are not encrypted with a KMS CMK, follow these troubleshooting steps:
- 1.
Verify if the CloudTrail trail logs are currently encrypted or not. You can do this by navigating to the AWS Management Console and accessing the CloudTrail service.
- 2.
Select the specific trail for which you want to check the encryption status.
- 3.
Under the "Trail details" tab, locate the "Log file encryption" section. If it shows "None" or any other encryption option other than "AWS Key Management Service (AWS KMS)", the trail logs are not encrypted according to the desired rule.
- 4.
If the logs are not encrypted, proceed to the remediation steps below.
Remediation Steps:
To encrypt the CloudTrail trail logs with a KMS CMK, follow these steps:
- 1.
Open the AWS Management Console and navigate to the CloudTrail service.
- 2.
Select the specific trail that needs to be encrypted.
- 3.
Under the "Trail details" tab, locate the "Log file encryption" section and click on the "Edit" button.
- 4.
In the encryption options, select "AWS Key Management Service (AWS KMS)".
- 5.
Choose the desired KMS Customer Master Key (CMK) from the dropdown list. If you don't have a CMK created, click on "Create a new KMS key" and follow the prompts to create a new CMK.
- 6.
Once you have selected a CMK, click on "Save" to enable log file encryption for the trail.
- 7.
Verify that the encryption status now shows "AWS Key Management Service (AWS KMS)".
- 8.
It is recommended to test the CloudTrail configuration by generating some sample log events and ensuring that they are encrypted and can be decrypted correctly.
Code Examples (CLI):
If you prefer using AWS Command Line Interface (CLI) for remediation, you can use the following command to enable log file encryption for a specific CloudTrail trail:
aws cloudtrail update-trail --name <trail-name> --kms-id <kms-key-id>
Replace
<trail-name><kms-key-id>Remember to replace the placeholders with appropriate values according to your environment.
Conclusion:
By following the above steps and ensuring that CloudTrail trail logs are encrypted with a KMS CMK, you can meet the requirements of the General Data Protection Regulation (GDPR) related to data encryption.