Rule: Log Group Encryption at Rest Should be Enabled
This rule ensures log group encryption at rest is enabled for enhanced security.
| Rule | Log group encryption at rest should be enabled |
| Framework | NIST 800-171 Revision 2 |
| Severity | ✔ High |
Log Group Encryption at Rest - NIST 800-171 Revision 2
Rule Description:
Log Group Encryption at Rest is a security measure that ensures the protection of sensitive data stored in AWS CloudWatch Logs. Enabling Log Group Encryption at Rest helps to comply with the NIST 800-171 Revision 2 security standard. This rule mandates that log data should be encrypted to prevent unauthorized access and to maintain data confidentiality.
Troubleshooting Steps:
If Log Group Encryption at Rest is not enabled, you may encounter the following issues:
- 1.Non-compliance with NIST 800-171 Revision 2.
- 2.Increased risk of data breaches or unauthorized access to log data.
- 3.Failure to meet security audit requirements.
Necessary Codes:
To enable Log Group Encryption at Rest for CloudWatch Logs, the following code can be used:
- 1.AWS CLI Command:
aws logs put-resource-policy --policy-name log-group-encryption-policy --policy-document '{ "Version":"2012-10-17", "Statement":[{ "Sid": "AllowLogGroupEncryption", "Effect": "Allow", "Principal": "*", "Action": "logs:PutResourcePolicy", "Resource": "arn:aws:logs:<region>:<account-id>:log-group:<log-group>:*", "Condition": { "Bool": { "aws:SecureTransport": "true" } } }] }'
Step-by-Step Guide for Remediation:
- 1.Open the AWS CLI or any suitable command-line tool.
- 2.Authenticate your AWS credentials using appropriate commands or methods.
- 3.Run the following command to enable Log Group Encryption at Rest:
aws logs put-resource-policy --policy-name log-group-encryption-policy --policy-document '{ "Version":"2012-10-17", "Statement":[{ "Sid": "AllowLogGroupEncryption", "Effect": "Allow", "Principal": "*", "Action": "logs:PutResourcePolicy", "Resource": "arn:aws:logs:<region>:<account-id>:log-group:<log-group>:*", "Condition": { "Bool": { "aws:SecureTransport": "true" } } }] }'
- 1.Replace
with the AWS region where your CloudWatch Logs are located.<region> - 2.Replace
with your AWS account ID.<account-id> - 3.Replace
with the name of the specific log group you want to enable encryption for.<log-group> - 4.Execute the command.
- 5.Verify that Log Group Encryption at Rest is enabled by checking the encryption status in the AWS Management Console or by using the AWS CLI commands.
Notes:
Enabling Log Group Encryption at Rest ensures that log data stored in CloudWatch Logs remains encrypted and secure. It helps organizations meet the requirements of the NIST 800-171 Revision 2 security standard and protects sensitive data from unauthorized access.
Conclusion:
Enabling Log Group Encryption at Rest for CloudWatch Logs is essential for compliance with NIST 800-171 Revision 2. By following the provided troubleshooting steps and utilizing the necessary code snippets, organizations can ensure the security and confidentiality of log data stored in AWS CloudWatch Logs.