Rule: CloudTrail Trail Logs Encrypted with KMS CMK
This rule ensures that CloudTrail trail logs are encrypted with KMS CMK for enhanced security.
| Rule | CloudTrail trail logs should be encrypted with KMS CMK |
| Framework | NIST 800-171 Revision 2 |
| Severity | ✔ Critical |
Rule Description:
All CloudTrail trail logs should be encrypted using AWS Key Management Service (KMS) Customer Master Key (CMK) for NIST 800-171 Revision 2 compliance. Encrypting the trail logs ensures the confidentiality and integrity of the log data for compliance and security purposes.
Remediation Steps:
- 1.
Identify the existing CloudTrail trails in your AWS account that are not encrypted with KMS CMK. This can be done by reviewing the CloudTrail configuration for each trail.
- 2.
Create a new KMS CMK if one does not already exist. This can be done through the AWS Management Console or by using the AWS Command Line Interface (CLI) with the following command:
aws kms create-key
- 1.Enable encryption for each CloudTrail trail that does not already have encryption enabled. This can be done through the AWS Management Console or by using the AWS CLI with the following command:
aws cloudtrail update-trail --name <trail_name> --kms-id <kms_key_id>
Replace
<trail_name><kms_key_id>- 1.Verify that the encryption is enabled for each CloudTrail trail. This can be done by reviewing the CloudTrail configuration or by using the AWS CLI command:
aws cloudtrail describe-trails --trail-name-list <trail_name>
Replace
<trail_name>- 1.Ensure that the CMK used for encryption is compliance with NIST 800-171 Revision 2. This can be verified by reviewing the key policy settings in the AWS Management Console or by using the AWS CLI command:
aws kms get-key-policy --key-id <kms_key_id> --policy-name default
Replace
<kms_key_id>- 1.Monitor the CloudTrail trails to ensure that new trails are automatically encrypted with the designated KMS CMK.
Troubleshooting Steps:
- 1.
If the AWS CLI commands return errors, make sure that you have the necessary permissions to update and describe CloudTrail trails and KMS keys. Check your IAM user or role permissions and policies.
- 2.
If the encryption is not enabled after running the update-trail command, check if the provided KMS CMK is valid and accessible. Ensure that the IAM user or role has the necessary permissions to use the KMS CMK.
- 3.
If the compliance verification fails for the KMS CMK, review the key policy settings and update them to meet the requirements of NIST 800-171 Revision 2.
- 4.
If you encounter any other issues or errors, refer to the AWS documentation or seek assistance from AWS support to troubleshoot and resolve the problem.
Additional Notes:
It is recommended to regularly review and update the encryption settings for CloudTrail trails as new best practices and compliance requirements may arise.
Ensure that the KMS CMK used for CloudTrail encryption is securely managed and rotated according to your organization's security policies.