Login

Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Rule: Enable Log Group Encryption at Rest

Ensure that encryption at rest is enabled for log groups to protect sensitive data.

RuleLog group encryption at rest should be enabled
FrameworkCISA-cyber-essentials
Severity
High

Rule Description:

Log group encryption at rest is a security measure that ensures the protection of log data stored in Amazon CloudWatch Logs. Enabling encryption at rest for the log group associated with CISA-cyber-essentials provides an additional layer of security, preventing unauthorized access to log data in case of data leakage or unauthorized exposure.

Troubleshooting Steps (if necessary):

  2. 1.

    Verify IAM Permissions: Ensure that you have the necessary permissions to enable log group encryption.

  4. 2.

    Check Log Group Configuration: Verify if the log group associated with CISA-cyber-essentials has encryption at rest enabled or not.

Remediation Steps:

Note: Before proceeding with the following steps, make sure you have the required permissions and access to the AWS Management Console.

  2. 1.

    Open the AWS Management Console and navigate to the CloudWatch service.

  4. 2.

    In the CloudWatch navigation pane, click on "Log groups."

  6. 3.

    Search for the log group associated with CISA-cyber-essentials.

  8. 4.

    Select the log group by clicking on its name.

  10. 5.

    In the log group details, click on the "Actions" dropdown button.

  12. 6.

    From the dropdown menu, select "Modify log group."

  14. 7.

    In the "Modify log group" window, locate the "Data protection" section.

  16. 8.

    Check if the "Enable log group encryption at rest" option is already enabled. If not, proceed to the next step.

  18. 9.

    Enable the "Enable log group encryption at rest" option by selecting the checkbox.

  20. 10.

    Review the other settings and configurations if necessary.

  22. 11.

    Click on the "Save" button to save the changes.

  24. 12.

    Wait for the changes to take effect, which may take a few minutes.

Code (if necessary):

There is no specific code snippet required for this rule. The steps provided above can be followed to enable log group encryption at rest through the AWS Management Console.

Verification:

To verify if the log group encryption at rest is enabled for CISA-cyber-essentials, follow these steps:

  2. 1.

    Open the AWS Management Console and navigate to the CloudWatch service.

  4. 2.

    In the CloudWatch navigation pane, click on "Log groups."

  6. 3.

    Search for the log group associated with CISA-cyber-essentials.

  8. 4.

    Select the log group by clicking on its name.

  10. 5.

    In the log group details, verify that the "Enable log group encryption at rest" option is enabled.

If the option is enabled, log group encryption at rest is successfully enabled for CISA-cyber-essentials.

Is your System Free of Underlying Vulnerabilities?
Find Out Now