Ensure CloudTrail Logs Encrypted at Rest Rule
This rule ensures CloudTrail logs are encrypted at rest for enhanced security measures.
| Rule | Ensure CloudTrail logs are encrypted at rest using KMS CMKs |
| Framework | cis_v140 |
| Severity | ✔ Medium |
Rule Description:
This rule ensures that CloudTrail logs in your AWS account are encrypted at rest using Key Management Service (KMS) Customer Master Keys (CMKs) as specified by the Center for Internet Security (CIS) benchmark version 1.4.0.
Remediation:
Step 1: Launch the AWS Management Console
Navigate to the AWS Management Console at https://console.aws.amazon.com/.
Step 2: Open the CloudTrail service
Open the AWS CloudTrail service by searching for "CloudTrail" in the AWS Management Console search bar and selecting it from the results.
Step 3: Choose your CloudTrail trail
Choose the CloudTrail trail for which you want to enable encryption at rest.
Step 4: Enable encryption at rest
In the selected trail's properties, click on the "Edit" button next to "Encryption" in the "Trail settings" section.
Step 5: Select a KMS key for encryption
Choose a KMS key from the dropdown list to use for encrypting your CloudTrail logs.
Step 6: Enable encryption at rest
Check the box next to "Encrypt log files at rest" to enable encryption at rest for your CloudTrail logs.
Step 7: Save the changes
Click on the "Save" button to save the changes and enable encryption at rest for your CloudTrail logs.
Verification:
To verify that CloudTrail logs are encrypted at rest using KMS CMKs, follow these steps:
Step 1: Launch the AWS Management Console
Navigate to the AWS Management Console at https://console.aws.amazon.com/.
Step 2: Open the CloudTrail service
Open the AWS CloudTrail service by searching for "CloudTrail" in the AWS Management Console search bar and selecting it from the results.
Step 3: Choose your CloudTrail trail
Choose the CloudTrail trail for which you enabled encryption at rest.
Step 4: Verify encryption settings
In the selected trail's properties, locate the "Encryption" section. Ensure that the "Encrypt log files at rest" checkbox is checked and the chosen KMS key is displayed.
Step 5: Verify CloudTrail logs encryption
Review the CloudTrail logs to confirm that they are encrypted at rest. You can do this by examining the S3 bucket where the logs are stored and checking the encryption settings for the log files.
If the logs are encrypted at rest using KMS CMKs, the CloudTrail logs encryption is successfully implemented.
Troubleshooting:
Issue: CloudTrail logs are not being encrypted at rest.
Troubleshooting Steps:
- 1.Verify that the correct KMS CMK is selected for encryption.
- 2.Ensure that the CloudTrail trail settings are saved after enabling encryption at rest.
- 3.Check the AWS CloudTrail documentation for any service disruptions or limitations that might affect encryption at rest functionality.
- 4.Review CloudTrail event history for any recent configuration changes that might have affected encryption at rest settings.
If the issue persists, it is recommended to reach out to AWS Support for further assistance.