Rule: CloudTrail Trail Logs Encrypted with KMS CMK
This rule ensures CloudTrail trail logs are encrypted with KMS CMK for enhanced security.
| Rule | CloudTrail trail logs should be encrypted with KMS CMK |
| Framework | CISA-cyber-essentials |
| Severity | ✔ Critical |
Ensuring CloudTrail Trail Logs are Encrypted with AWS KMS CMK in Compliance with CISA Cyber Essentials
AWS CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS account. The CISA Cyber Essentials encourages the encryption of sensitive data to protect the integrity and confidentiality of information.
AWS CloudTrail Log Encryption with KMS CMK
When you create a trail, you can configure it to encrypt log files using AWS Key Management Service (KMS) keys. AWS KMS is a managed service that makes it easy for you to create and control the keys used for cryptographic operations.
Rule/Policy Details
CloudTrail logs should be encrypted with a customer-managed AWS KMS Customer Master Key (CMK) rather than the default AWS managed key for CloudTrail. Using a customer-managed CMK gives you more flexibility, including key rotation and the policy modification.
Benefits:
- Control and manage key permissions and policies.
- Define key rotation policies.
- Monitor key usage through CloudTrail itself.
Prerequisites:
- AWS CLI or Management Console access
- IAM permissions to manage CloudTrail and AWS KMS
Step by Step Guide for Remediation
Step 1: Verify Current CloudTrail Encryption
- 1.Go to the AWS Management Console.
- 2.Navigate to the CloudTrail service.
- 3.Select the trail you want to examine.
- 4.In the trail's details, check the "KMS key ID" field to see if it's using the default key or a customer-managed key.
Step 2: Create a Customer-Managed CMK (if necessary)
- 1.Go to the KMS section in the AWS Management Console.
- 2.Choose "Create a key" and follow the wizard.
- 3.Define the key administrative and usage permissions.
- 4.Record the Key ID or ARN after the key is created.
CLI command to create a CMK:
aws kms create-key --description "CloudTrail encryption key"
After creating the key, record the
KeyIdArnStep 3: Update CloudTrail to Use the Customer-Managed CMK
- 1.Go back to the CloudTrail service in the AWS Management Console.
- 2.Choose the trail you are updating.
- 3.Select "Edit."
- 4.Under "KMS key," change from the default key to the ARN of your customer-managed key.
- 5.Save the changes.
CLI command to update a trail:
aws cloudtrail update-trail --name YourTrailName --kms-key-id alias/YourKeyAlias
Replace
YourTrailNameYourKeyAliasMonitoring and Troubleshooting
To monitor the usage of your CMK and troubleshoot any potential issues, you can use AWS CloudTrail logs to record key usage. Look for the
EncryptDecryptIf issues arise with encryption or if CloudTrail logs are not being created:
- 1.Check the KMS key policy to ensure it grants permissions to CloudTrail.
- 2.Verify the IAM role used by CloudTrail has permissions to use the KMS key.
- 3.Look for any key policy changes or key deletions that may have occurred.
Additional Recommendations
- Set an alias for the CMK to make it easier to manage.
- Periodically rotate your customer-managed CMK.
- Audit key usage frequently to ensure security compliance.
This guide aims to be precise, applying the necessary steps without extraneous information, fulfilling search optimization requirements without sacrificing quality or readability.