Rule: CloudTrail Trail Logs Encrypted with KMS CMK
This rule ensures that CloudTrail trail logs are encrypted with KMS CMK for enhanced security measures.
| Rule | CloudTrail trail logs should be encrypted with KMS CMK |
| Framework | HIPAA |
| Severity | ✔ Critical |
Rule/Policy Description:
CloudTrail is a service provided by AWS that enables the logging and monitoring of account activity occurring within an AWS account. To comply with the Health Insurance Portability and Accountability Act (HIPAA), it is necessary to encrypt the CloudTrail trail logs. This can be achieved by using AWS Key Management Service (KMS) Customer Master Keys (CMK) for encryption.
Troubleshooting Steps:
If there are any issues with encrypting CloudTrail trail logs with KMS CMK, you can follow these troubleshooting steps:
- 1.
Make sure you have the necessary permissions: Ensure that the IAM user or role has the required permissions to create and access KMS CMKs. Check the IAM policies associated with the user or role to verify they have the necessary permissions for KMS.
- 2.
Check KMS key policy: Review the key policy for the KMS CMK being used for CloudTrail encryption. Ensure that the necessary IAM users or roles have the required permissions to use the key for encryption and decryption operations.
- 3.
Verify KMS CMK configuration: Ensure that the KMS CMK being used for CloudTrail encryption is properly configured. Check the key material origin, rotation status, and other attributes to ensure they are set correctly.
- 4.
Check CloudTrail settings: Validate the CloudTrail configuration in the AWS Management Console. Ensure that the selected KMS CMK is the correct one and the encryption settings are properly configured.
Necessary Codes:
No specific codes are required for this rule/policy. CloudTrail encryption with KMS CMK is configured using AWS Management Console or AWS Command Line Interface (CLI) commands.
Step-by-Step Guide for Remediation:
Follow these steps to encrypt CloudTrail trail logs with KMS CMK for HIPAA compliance:
- 1.
Log in to the AWS Management Console.
- 2.
Go to the AWS CloudTrail service.
- 3.
Select the appropriate CloudTrail trail you want to encrypt.
- 4.
Click on "Edit" to modify the trail configuration.
- 5.
Under the "Storage location" section, select the KMS CMK you want to use for encryption from the dropdown menu. If no KMS CMK is available, you can create one by following the KMS CMK creation process.
- 6.
Save the changes and confirm the encryption settings.
Once the CloudTrail trail is configured with the selected KMS CMK, all the log files generated by the trail will be encrypted using the KMS CMK. This ensures that the log files remain confidential and comply with HIPAA requirements.