Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Rule: CloudTrail Trail Logs Encrypted with KMS CMK

Ensure CloudTrail trail logs are encrypted with KMS CMK for enhanced data protection.

RuleCloudTrail trail logs should be encrypted with KMS CMK
FrameworkGeneral Data Protection Regulation (GDPR)
Severity
Critical

Rule Description:

This rule requires that the CloudTrail trail logs, which record AWS API activity, are encrypted using the Key Management Service (KMS) Customer Master Key (CMK) for compliance with the General Data Protection Regulation (GDPR).

Enforcing encryption of CloudTrail trail logs with KMS CMK ensures the protection of sensitive data and helps meet the security requirements mandated by GDPR. Encryption adds an additional layer of security to prevent unauthorized access to the CloudTrail logs.

Troubleshooting Steps:

If CloudTrail trail logs are not encrypted with KMS CMK, perform the following troubleshooting steps:

  1. 1.
    Check if the CloudTrail trail logs are being collected and stored in an S3 bucket.
  2. 2.
    Verify if the KMS CMK that should be used for encrypting the logs is available in the AWS account.
  3. 3.
    Ensure that the appropriate permissions are granted for the CMK to encrypt and decrypt the CloudTrail logs.
  4. 4.
    Check if the CloudTrail trail settings are configured to use the correct CMK for encryption.

Necessary Codes:

To enforce the encryption of CloudTrail trail logs with KMS CMK, you can use the following code:

aws cloudtrail update-trail --name <trail-name> --kms-key-id <kms-key-id> --is-kms-encrypted true

Replace

<trail-name>
with the name of the CloudTrail trail and
<kms-key-id>
with the ARN or alias of the KMS CMK to be used for encryption.

Step-by-Step Guide for Remediation:

Follow these steps to encrypt CloudTrail trail logs with KMS CMK:

  1. 1.
    Identify the CloudTrail trail that needs to be encrypted with KMS CMK.
  2. 2.
    Login to the AWS Management Console or use the AWS CLI to perform the following steps.
  3. 3.
    Open the CloudTrail service.
  4. 4.
    In the navigation pane, click on "Trails".
  5. 5.
    Select the appropriate trail from the list.
  6. 6.
    Click on "Edit".
  7. 7.
    In the "Trail details" section, locate the "Enable log file encryption" option.
  8. 8.
    Select "Yes" for log file encryption.
  9. 9.
    Choose the desired KMS CMK from the dropdown list.
  10. 10.
    Click on "Save".
  11. 11.
    Verify that the CloudTrail trail logs are now encrypted with KMS CMK.

Note: If the desired KMS CMK is not available, create one using the AWS Key Management Service (KMS) prior to performing the above steps.

Conclusion:

Encrypting CloudTrail trail logs with KMS CMK ensures compliance with GDPR by protecting sensitive data. Following the provided troubleshooting steps and executing the necessary codes, along with the provided step-by-step guide for remediation, will help enforce this rule and enhance the security of your AWS environment.

Is your System Free of Underlying Vulnerabilities?
Find Out Now