Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Ensure Log Group Encryption at Rest is Enabled Rule

This rule ensures that log group encryption at rest is enabled for enhanced security.

RuleLog group encryption at rest should be enabled
FrameworkGxP EU Annex 11
Severity
High

Log Group Encryption at Rest for GxP EU Annex 11 Compliance

Overview

For organizations that need to comply with Good Manufacturing Practice (GMP) rules in the EU, particularly those subject to Annex 11, which pertains to computerized systems, it's crucial to ensure that all electronic records are stored securely. This includes enforcing encryption at rest for CloudWatch Log Groups, which can contain sensitive information that must be protected.

AWS CloudWatch Logs is an AWS service that allows for the monitoring, storage, and access to log files from AWS resources. Ensuring encryption at rest for log groups helps in protecting data from unauthorized access if the physical security controls of the storage layer are compromised.

Detailed Rule Description

Encryption at rest must be enabled for all AWS CloudWatch Log Groups to ensure that sensitive information contained within the logs is encrypted using AWS Key Management Service (KMS) customer master keys (CMKs). This prevents unauthorized users from accessing the data if they manage to gain physical access to the storage media.

To comply with GxP EU Annex 11, organizations should:

  • Encrypt new and existing CloudWatch Log Groups with KMS CMKs.
  • Regularly monitor the encryption status of Log Groups.
  • Create and enforce policies that require encryption at rest using KMS.

Troubleshooting Steps

If your CloudWatch Log Groups are not currently encrypted, follow these steps:

  1. 1.

    Identify Unencrypted Log Groups: Use AWS CLI or AWS Management Console to list all CloudWatch Log Groups and identify those without encryption.

  2. 2.

    Enable Encryption: For each unencrypted Log Group, enable encryption by associating it with a KMS CMK.

  3. 3.

    Audit and Monitor: Establish mechanisms for regular auditing to ensure ongoing compliance with the encryption policy.

  4. 4.

    Automate Compliance: Consider using AWS Config Rules to automatically detect non-compliant log groups and AWS Lambda to remediate issues.

Necessary Commands

Below are CLI commands that can be used to identify and remediate unencrypted Log Groups.

Identify Unencrypted Log Groups

The following AWS CLI command lists all log groups and their encryption status:

aws logs describe-log-groups --query 'logGroups[?!kmsKeyId].logGroupName'

Enable Encryption for a Log Group

Use this AWS CLI command to associate a KMS CMK with a log group:

aws logs associate-kms-key --log-group-name "your-log-group-name" --kms-key-id "your-kms-key-id"

Replace

'your-log-group-name'
with the name of your log group and
'your-kms-key-id'
with your KMS key ARN.

Step-by-Step Guide for Remediation

Step 1: Create or Identify a KMS CMK

Before you can enable encryption on a Log Group, you need to have a KMS CMK in place.

  • To create a new CMK:
    aws kms create-key --description "Description of the key"
  • To use an existing CMK: Identify the Key ID or ARN of your existing key.

Step 2: Enable Encryption on Log Groups

For each Log Group:

  • Run the
    associate-kms-key
    CLI command mentioned above.
  • Confirm that encryption is enabled by running
    describe-log-groups
    again.

Step 3: Monitor and Audit for Compliance

Create an AWS Config Rule to ensure encryption and setup notifications or auto-remediation through AWS Lambda if a log group is found to be non-compliant.

Step 4: Automate Log Group Encryption

Consider using infrastructure as code (IaC) tools like AWS CloudFormation or Terraform to automate the creation of encrypted Log Groups.

By following these steps and automating compliance checks, you help ensure that your organization maintains continual compliance with GxP EU Annex 11 requirements related to encryption at rest for log groups. This not only enhances the security posture of your AWS environment but also aligns with SEO strategies by focusing on accurate, detailed, and organized content that directly addresses user search intent around GxP compliance.

Is your System Free of Underlying Vulnerabilities?
Find Out Now