Ensure CloudTrail Logs are Encrypted at Rest Using KMS CMKs Rule
This rule ensures CloudTrail logs are securely encrypted at rest using KMS customer managed keys.
| Rule | Ensure CloudTrail logs are encrypted at rest using KMS CMKs |
| Framework | cis_v150 |
| Severity | ✔ High |
Rule Description:
This rule ensures that CloudTrail logs are encrypted at rest using Key Management Service (KMS) Customer Managed Keys (CMKs) for compliance with CIS AWS Foundations Benchmark version 1.5.0.
Troubleshooting Steps:
If CloudTrail logs are not encrypted at rest using KMS CMKs, follow the troubleshooting steps below:
- 1.
Verify the KMS CMKs: Ensure that there are appropriate KMS CMKs available to be used for encrypting CloudTrail logs. Check if the required KMS CMKs are created in the correct region.
- 2.
Update CloudTrail Settings: Access the AWS Management Console and navigate to the CloudTrail service. Select the correct trail that needs encryption configuration.
- 3.
Configure Logs Encryption: Enable the encryption feature for the CloudTrail trail. Specify the desired KMS CMK to be used for encryption.
- 4.
Verify Trail Settings: Check the configuration of the CloudTrail trail to confirm that the encryption settings are correctly applied.
- 5.
Verify CloudTrail Log Files: After making changes to the CloudTrail settings, wait for some time to allow the system to encrypt the existing log files. Confirm that the log files are being encrypted at rest using the specified KMS CMK.
- 6.
Review Logs: Monitor CloudTrail logs and KMS logs to identify any errors or issues related to log encryption.
Necessary Codes:
No specific codes are required for this rule. However, the following AWS CLI commands can be used for configuring CloudTrail encryption:
- To enable encryption for an existing CloudTrail trail:
aws cloudtrail update-trail --name <trail-name> --kms-id <kms-cmk-key-id> --no-is-multi-region-trail
Note: Replace
<trail-name><kms-cmk-key-id>Step-by-Step Guide for Remediation:
Follow the steps below to remediate and ensure CloudTrail logs are encrypted at rest using KMS CMKs:
- 1.
Open the AWS Management Console and navigate to the CloudTrail service.
- 2.
Select the CloudTrail trail that needs to be encrypted.
- 3.
Click on the "Edit" button or select "Configure" from the trail's context menu.
- 4.
In the "Advanced" section, locate the "Encryption" option and click on the "Edit" button next to it.
- 5.
Choose the "Enable encryption" checkbox.
- 6.
Select the appropriate KMS CMK from the drop-down list.
- 7.
Click "Save" to apply the encryption settings.
- 8.
Wait for some time to allow the system to encrypt the existing log files.
- 9.
Confirm that the CloudTrail logs are now being encrypted at rest using the specified KMS CMK.
- 10.
Monitor the CloudTrail logs and KMS logs for any errors or issues related to log encryption.
By following the above steps, you have successfully ensured that CloudTrail logs are encrypted at rest using KMS CMKs as per the CIS AWS Foundations Benchmark version 1.5.0.