This rule ensures that log group encryption at rest is enabled for enhanced security.
Rule | Log group encryption at rest should be enabled |
Framework | GxP EU Annex 11 |
Severity | ✔ High |
Log Group Encryption at Rest for GxP EU Annex 11 Compliance
Overview
For organizations that need to comply with Good Manufacturing Practice (GMP) rules in the EU, particularly those subject to Annex 11, which pertains to computerized systems, it's crucial to ensure that all electronic records are stored securely. This includes enforcing encryption at rest for CloudWatch Log Groups, which can contain sensitive information that must be protected.
AWS CloudWatch Logs is an AWS service that allows for the monitoring, storage, and access to log files from AWS resources. Ensuring encryption at rest for log groups helps in protecting data from unauthorized access if the physical security controls of the storage layer are compromised.
Detailed Rule Description
Encryption at rest must be enabled for all AWS CloudWatch Log Groups to ensure that sensitive information contained within the logs is encrypted using AWS Key Management Service (KMS) customer master keys (CMKs). This prevents unauthorized users from accessing the data if they manage to gain physical access to the storage media.
To comply with GxP EU Annex 11, organizations should:
Troubleshooting Steps
If your CloudWatch Log Groups are not currently encrypted, follow these steps:
Identify Unencrypted Log Groups: Use AWS CLI or AWS Management Console to list all CloudWatch Log Groups and identify those without encryption.
Enable Encryption: For each unencrypted Log Group, enable encryption by associating it with a KMS CMK.
Audit and Monitor: Establish mechanisms for regular auditing to ensure ongoing compliance with the encryption policy.
Automate Compliance: Consider using AWS Config Rules to automatically detect non-compliant log groups and AWS Lambda to remediate issues.
Necessary Commands
Below are CLI commands that can be used to identify and remediate unencrypted Log Groups.
Identify Unencrypted Log Groups
The following AWS CLI command lists all log groups and their encryption status:
aws logs describe-log-groups --query 'logGroups[?!kmsKeyId].logGroupName'
Enable Encryption for a Log Group
Use this AWS CLI command to associate a KMS CMK with a log group:
aws logs associate-kms-key --log-group-name "your-log-group-name" --kms-key-id "your-kms-key-id"
Replace
'your-log-group-name'
with the name of your log group and 'your-kms-key-id'
with your KMS key ARN.Step-by-Step Guide for Remediation
Step 1: Create or Identify a KMS CMK
Before you can enable encryption on a Log Group, you need to have a KMS CMK in place.
aws kms create-key --description "Description of the key"
Step 2: Enable Encryption on Log Groups
For each Log Group:
associate-kms-key
CLI command mentioned above.describe-log-groups
again.Step 3: Monitor and Audit for Compliance
Create an AWS Config Rule to ensure encryption and setup notifications or auto-remediation through AWS Lambda if a log group is found to be non-compliant.
Step 4: Automate Log Group Encryption
Consider using infrastructure as code (IaC) tools like AWS CloudFormation or Terraform to automate the creation of encrypted Log Groups.
By following these steps and automating compliance checks, you help ensure that your organization maintains continual compliance with GxP EU Annex 11 requirements related to encryption at rest for log groups. This not only enhances the security posture of your AWS environment but also aligns with SEO strategies by focusing on accurate, detailed, and organized content that directly addresses user search intent around GxP compliance.