Ensure CloudTrail trail logs are encrypted with KMS CMK for enhanced data protection.
Rule | CloudTrail trail logs should be encrypted with KMS CMK |
Framework | General Data Protection Regulation (GDPR) |
Severity | ✔ Critical |
Rule Description:
This rule requires that the CloudTrail trail logs, which record AWS API activity, are encrypted using the Key Management Service (KMS) Customer Master Key (CMK) for compliance with the General Data Protection Regulation (GDPR).
Enforcing encryption of CloudTrail trail logs with KMS CMK ensures the protection of sensitive data and helps meet the security requirements mandated by GDPR. Encryption adds an additional layer of security to prevent unauthorized access to the CloudTrail logs.
Troubleshooting Steps:
If CloudTrail trail logs are not encrypted with KMS CMK, perform the following troubleshooting steps:
Necessary Codes:
To enforce the encryption of CloudTrail trail logs with KMS CMK, you can use the following code:
aws cloudtrail update-trail --name <trail-name> --kms-key-id <kms-key-id> --is-kms-encrypted true
Replace
<trail-name>
with the name of the CloudTrail trail and <kms-key-id>
with the ARN or alias of the KMS CMK to be used for encryption.Step-by-Step Guide for Remediation:
Follow these steps to encrypt CloudTrail trail logs with KMS CMK:
Note: If the desired KMS CMK is not available, create one using the AWS Key Management Service (KMS) prior to performing the above steps.
Conclusion:
Encrypting CloudTrail trail logs with KMS CMK ensures compliance with GDPR by protecting sensitive data. Following the provided troubleshooting steps and executing the necessary codes, along with the provided step-by-step guide for remediation, will help enforce this rule and enhance the security of your AWS environment.