Rule: Log Group Encryption at Rest Should Be Enabled
This rule ensures that log group encryption at rest is properly enabled to enhance data security.
| Rule | Log group encryption at rest should be enabled |
| Framework | RBI Cyber Security Framework |
| Severity | ✔ High |
Log Group Encryption at Rest
Description:
Enabling encryption at rest for log groups is a crucial security measure to protect sensitive data stored in Amazon Web Services (AWS) CloudWatch Logs. In the context of the RBI (Reserve Bank of India) Cyber Security Framework, it is important to ensure that log groups are encrypted to comply with the regulatory requirements and safeguard log data against unauthorized access.
Enabling encryption at rest provides an additional layer of protection, ensuring that log data remains secure even if an unauthorized entity gains access to the underlying storage infrastructure.
Remediation:
To enable encryption at rest for log groups in AWS CloudWatch Logs, follow the step-by-step guide below:
- 1.
Identify the log group(s) that need to be encrypted.
- List all the log groups in your AWS account to identify the target log groups.
- 2.
Create a new AWS Key Management Service (KMS) key or choose an existing key.
- If you want to create a new KMS key, follow the AWS documentation to create a new customer-managed key in the Key Management Service.
- 3.
Configure the log group encryption settings.
- Navigate to the AWS CloudWatch console.
- Select the target log group(s) that need to be encrypted.
- Click on the "Actions" button and choose "Edit log group settings."
- Under "Log group encryption," select the option to enable Encryption.
- Choose the KMS key you created or an existing key to use for encryption.
- Click "Save."
- 4.
Verify encryption at rest.
- After enabling encryption, verify if the log group(s) are encrypted.
- Select the encrypted log group(s) in the CloudWatch console.
- Click on "View log events" to confirm encryption.
Troubleshooting Steps (if applicable):
If you encounter any issues during the above remediation steps, refer to the following troubleshooting guidelines:
- 1.
Ensure proper IAM permissions:
- Ensure that you have the necessary IAM permissions to enable encryption at rest for log groups.
- Verify that your IAM user or role has the required permissions to modify log group settings and access KMS keys.
- 2.
Correct KMS Key:
- Make sure that the chosen KMS key exists and is accessible by your AWS account.
- Confirm that the key policy grants the necessary permissions to CloudWatch Logs to utilize the key for encryption.
- 3.
Log Group Configuration:
- Double-check if you have selected the correct log group(s) for encryption.
- Ensure that the log group(s) are not already encrypted or associated with a different KMS key.
If the troubleshooting steps do not resolve the issue, refer to AWS documentation or seek assistance from AWS support for further investigation.
Code (if applicable):
There is no specific code snippet required for this remediation process as it involves using the AWS Management Console to enable encryption at rest for log groups.
Conclusion:
Enabling encryption at rest for log groups in AWS CloudWatch Logs aligns with the RBI Cyber Security Framework requirements. By following the provided step-by-step guide, you can secure sensitive log data and ensure compliance with regulatory standards. Remember to verify encryption status after enabling it and troubleshoot any issues that may arise.