Enable Log Group Encryption at Rest Rule

Log Group Encryption at Rest for NIST 800-53 Revision 5

Description

Troubleshooting Steps

2. 1.

   Check the permissions: Ensure that the IAM user or role trying to enable encryption has the necessary permissions. The user/role must have the

   cloudwatch:CreateLogStream

   and

   cloudwatch:PutRetentionPolicy

   permissions, along with

   kms:GenerateDataKey

   and

   kms:Encrypt

   permissions on the KMS key associated with the log group.

4. 2.

   Verify encryption status: Use the AWS Command Line Interface (CLI) to check the encryption status of the log group using the following command:

   aws logs describe-log-groups --log-group-name <log_group_name>
   

   Look for the

   kmsKeyId

   field, which should have a valid Key Management Service (KMS) Key ID associated with encryption. If it returns an empty value, encryption is not enabled.

6. 3.

   Check KMS Key permissions: Ensure that the KMS Key associated with the log group has the necessary permissions. The key policy should allow the IAM user/role to perform encryption and decryption operations.

8. 4.

   Verify KMS Key availability: Ensure that the KMS Key associated with the log group is in the correct region and available for use. If the key is not accessible or deleted, you may encounter issues with encryption.

Necessary Codes

2. 1.

   AWS CLI command to enable encryption for a log group:

   aws logs put-retention-policy --log-group-name <log_group_name> --retention-in-days <retention_days>
   

   Note: Replace

   <log_group_name>

   with the name of the log group you want to encrypt and

   <retention_days>

   with the desired retention period for log data.

4. 2.

   AWS CLI command to set the master key for KMS encryption:

   aws kms create-alias --alias-name <alias_name> --target-key-id <kms_key_id>
   

   Note: Replace

   <alias_name>

   with the desired alias for the KMS key and

   <kms_key_id>

   with the ARN or key ID of the KMS key.

Step-by-Step Guide for Remediation

2. 1.

   Identify the desired log group: Determine the log group you want to enable encryption for. Note down the log group name or make a list of log groups that require encryption.

4. 2.

   Set up KMS Key: If you haven't already, create a KMS Key in the desired region and ensure it has the necessary permissions for encryption and decryption operations. Note down the key's ARN or Key ID.

6. 3.

   Enable Log Group Encryption: Use the AWS CLI command provided earlier to enable encryption for each identified log group. Replace

   <log_group_name>

   with the appropriate log group name and

   <retention_days>

   with the desired retention period (in days) for your log data.

8. 4.

   Associate KMS Key with Log Group: To link the KMS Key with the log group, use the AWS CLI command for setting the master key alias. Replace

   <alias_name>

   with an alias name of your choice and

   <kms_key_id>

   with the ARN or Key ID of the KMS key.

10. 5.

    Verify Encryption Status: Use the AWS CLI command to describe the log groups and check the encryption status. Ensure that the

    kmsKeyId

    field returns the correct Key ID or ARN associated with encryption.

12. 6.

    Test Log Group Encryption: Write logs to the log group and verify that the data is encrypted at rest. You can check the encryption status of the log data in the AWS Management Console or by using the AWS CLI command.