Rule: CloudTrail Trail Logs Encrypted with KMS CMK
This rule ensures CloudTrail trail logs are encrypted with Key Management Service Customer Managed Key
| Rule | CloudTrail trail logs should be encrypted with KMS CMK |
| Framework | CISA-cyber-essentials |
| Severity | ✔ Critical |
CloudTrail trail logs encryption with KMS CMK for CISA-Cyber-Essentials
Description:
Encrypting CloudTrail trail logs with AWS Key Management Service (KMS) Customer Master Key (CMK) is a security best practice to protect sensitive data and comply with the CISA-Cyber-Essentials framework. CloudTrail provides detailed logs of API calls and acts as an essential component for auditing and troubleshooting in AWS environments. By encrypting trail logs using KMS CMK, the confidentiality and integrity of the logs are ensured, preventing unauthorized access and tampering.
Troubleshooting Steps:
If you encounter any issues while encrypting CloudTrail trail logs with KMS CMK, follow these troubleshooting steps:
- 1.
Verify IAM permissions: Ensure the required IAM permissions are assigned to the user or role configuring CloudTrail. The user/role should have
andkms:Encrypt
permissions for the selected CMK.kms:Decrypt - 2.
Check CMK availability: Ensure that the KMS CMK being used is available and not deleted or expired. Verify that the CMK is enabled for use.
- 3.
Check CMK key policy: Review the key policy of the CMK to ensure it allows the necessary usage permissions. The
permission should be granted to the IAM user/role configuring CloudTrail.kms:Encrypt - 4.
Verify CloudTrail configuration: Double-check the CloudTrail configuration to ensure the correct CMK is selected for encryption. Make sure the CMK ARN (Amazon Resource Name) is accurate.
- 5.
Check AWS region compatibility: Ensure that the selected CMK and CloudTrail are both in the same AWS region. CMKs are region-specific and cannot be shared across regions.
- 6.
AWS service integration: Make sure that KMS is integrated with CloudTrail by checking whether KMS encryption is enabled in the CloudTrail settings.
- 7.
Troubleshoot with AWS Support: If the issue persists, reach out to AWS Support for further assistance in troubleshooting and resolving the CloudTrail encryption issue.
Necessary Codes:
No specific code snippets are required for this rule.
Remediation Steps:
Follow the below step-by-step guide to remediate the CloudTrail trail logs encryption using KMS CMK for CISA-Cyber-Essentials:
- 1.
Login to the AWS Management Console: Open your web browser and navigate to the AWS Management Console.
- 2.
Go to the CloudTrail service: In the AWS Management Console, search for "CloudTrail" or find it under the "Management & Governance" category.
- 3.
Select the desired trail: From the CloudTrail homepage, select the relevant trail that requires encryption.
- 4.
Click on "Edit": In the trail's details page, click on the "Edit" button.
- 5.
Enable log file encryption: Scroll down to the "Log file settings" section. Under "S3 bucket where logs are delivered," ensure that the desired bucket is selected. Check the box for "Enable log file encryption."
- 6.
Select KMS CMK: Choose the desired CMK from the available options in the "KMS key for encryption" dropdown menu. Make sure the CMK has the necessary permissions.
- 7.
Save the changes: Click on the "Save" button to apply the encryption settings.
- 8.
Verify encryption status: Once the changes are saved, CloudTrail will attempt to encrypt the existing and new logs. Verify the encryption status on the CloudTrail homepage and ensure it shows as enabled.
It may take some time for CloudTrail to apply the encryption to existing logs. Going forward, all new logs will be encrypted using the specified KMS CMK for improved security and compliance with CISA-Cyber-Essentials.