Rule: CloudTrail Trail Logs Encrypted with KMS CMK

GxP EU Annex 11 compliance requires that electronic records are protected. Encrypting AWS CloudTrail logs with a KMS Customer Master Key (CMK) ensures the integrity and confidentiality of log data. Enforcing encryption of CloudTrail logs is a step towards meeting regulatory requirements.

• Protects sensitive data in transit and at rest.
• Ensures the integrity and confidentiality of audit logs.
• Mitigates the risk of unauthorized data access.

• Check if any trails exist. If not, create one before proceeding.

• This will generate a CMK that you can use to encrypt CloudTrail logs.

• Replace

  <Key ID from previous step>

  with the generated Key ID.

• Replace

  <Your Trail Name>

  with your CloudTrail name.

• Replace

  <Your Trail Name>

  with your CloudTrail name and

  <Key ID>

  with the Key ID from step 2.

• Validate that your trail is properly configured and set to an active state.
• Ensure the S3 bucket policy allows CloudTrail to write logs.

• Check if KMS CMK is associated with CloudTrail.
• Ensure no policy is preventing CloudTrail from using KMS.

• Ensure that the IAM policy includes permissions to use the KMS CMK.
• Review the KMS key policy to confirm proper permissions are in place.

• Reapply the correct KMS CMK encryption using the update-trail CLI command if any errors are encountered.
• If CloudTrail or KMS permissions are misconfigured, review and adjust the policies accordingly.

• Regularly monitor CloudTrail and KMS CMK to ensure ongoing compliance.
• Run compliance auditing tools or scripts to check the encryption status of CloudTrail logs periodically.

Encrypting CloudTrail logs with a KMS CMK is essential for GxP EU Annex 11 compliance. By following the steps provided, you can secure your trail logs in accordance with regulatory standards, enhancing the security posture of your AWS environment.