Rule: CloudTrail Trail Logs Encrypted with KMS CMK
This rule ensures that CloudTrail trail logs are encrypted using a KMS Customer Master Key (CMK).
| Rule | CloudTrail trail logs should be encrypted with KMS CMK |
| Framework | GxP 21 CFR Part 11 |
| Severity | ✔ Critical |
Rule Description
The rule states that CloudTrail trail logs in an environment that must comply with GxP (Good Clinical Practice) 21 CFR Part 11 regulations should be encrypted using a Key Management Service (KMS) Customer Managed Key (CMK). This ensures the security and integrity of the logs and helps to comply with regulatory requirements.
Troubleshooting Steps
If there are any issues or errors related to CloudTrail trail log encryption with KMS CMK for GxP 21 CFR Part 11, you can follow these troubleshooting steps:
- 1.
Check KMS CMK Permissions: Ensure that the AWS Identity and Access Management (IAM) role or user used to create or update the CloudTrail trail has the necessary permissions to use the specified KMS CMK. Make sure the IAM role/user has the required key policy permissions for KMS CMK encryption.
- 2.
Verify CloudTrail Trail Configuration: Confirm that the CloudTrail trail is properly configured to use encryption with the correct KMS CMK. Validate the specific CloudTrail trail settings related to encryption and KMS CMK.
- 3.
Validate KMS CMK Configuration: Check the configuration of the KMS CMK being used for CloudTrail trail encryption. Ensure the CMK is enabled and not in a disabled state. Verify the KMS CMK Key Policy to confirm that it allows encryption and decryption operations.
- 4.
Verify GxP 21 CFR Part 11 Compliance: Double-check the specific requirements of GxP 21 CFR Part 11 regulations and cross-reference them with the encryption settings applied to the CloudTrail trail. Ensure the encryption algorithm and key management practices align with the regulatory standards.
Necessary Codes
There are no specific codes required for this rule. However, you may need to use AWS CLI commands to configure the CloudTrail trail and enable proper encryption using KMS CMK. The commands mentioned below can serve as a guide for remediation, but please adjust them according to your specific requirements.
- 1.Create a KMS CMK (if not already done):
aws kms create-key --description "CMK for CloudTrail logs encryption" --policy file://key-policy.json
Note: Replace
key-policy.json- 1.Enable encryption for an existing CloudTrail trail:
aws cloudtrail update-trail --name <trail-name> --kms-id <cmk-id> --enable-log-file-encryption
Replace
<trail-name><cmk-id>Step-by-Step Guide for Remediation
Follow these steps to ensure CloudTrail trail logs are encrypted with KMS CMK for GxP 21 CFR Part 11 compliance:
- 1.
Create or verify the existence of a KMS CMK:
- Use the AWS Management Console or AWS CLI command mentioned earlier to create a KMS CMK, if not already created.
- Take note of the CMK ID, as you will need it in the next steps.
- 2.
Create a CloudTrail trail:
- Use the AWS Management Console or AWS CLI to create a CloudTrail trail.
- Enable the trail for the desired AWS regions and specify the S3 bucket where logs will be stored.
- 3.
Enable encryption using KMS CMK:
- Update the CloudTrail trail configuration to enable encryption with KMS CMK.
- Use the AWS Management Console or AWS CLI command mentioned earlier, replacing
with the name of your CloudTrail trail and<trail-name>
with the ID of the KMS CMK created in step 1.<cmk-id>
- 4.
Validate encryption and compliance:
- Verify that encryption is enabled for CloudTrail logs using the specified KMS CMK.
- Cross-reference the encryption settings and compliance requirements with the guidelines provided by GxP 21 CFR Part 11 regulations.
By following these steps, you will ensure that CloudTrail trail logs are encrypted using a KMS CMK, meeting the security requirements of GxP 21 CFR Part 11 regulations.