Rule: CloudTrail Trail Logs Encrypted with KMS CMK
This rule ensures CloudTrail trail logs are encrypted with KMS CMK for security.
| Rule | CloudTrail trail logs should be encrypted with KMS CMK |
| Framework | NIST 800-171 Revision 2 |
| Severity | ✔ Critical |
Rule Description
This rule ensures that CloudTrail trails are encrypted with AWS Key Management Service (KMS) Customer Master Key (CMK) using NIST (National Institute of Standards and Technology) 800-171 Revision 2 compliant encryption.
Troubleshooting Steps
If a CloudTrail trail is not encrypted with KMS CMK for NIST 800-171 Revision 2 compliance, you can follow these troubleshooting steps:
- 1.
Verify Encryption Status: Check the encryption status of the CloudTrail trail.
- 2.
Check KMS CMK: Ensure that an appropriate KMS CMK has been selected for CloudTrail trail encryption.
- 3.
Validate NIST 800-171 Revision 2 Compliance: Confirm that the selected KMS CMK is configured with NIST 800-171 Revision 2 compliant encryption.
- 4.
Verify IAM Role Permissions: Ensure that the IAM role associated with the CloudTrail trail has the necessary permissions to use the KMS CMK for encryption.
- 5.
Review Trail Configuration: Double-check the CloudTrail trail configuration to ensure encryption settings are correctly enabled.
Necessary Codes
No codes are required for this rule.
Step-by-step Guide for Remediation
To remediate the non-compliance and encrypt CloudTrail trails with KMS CMK for NIST 800-171 Revision 2 compliance, follow these step-by-step instructions:
- 1.
Open the AWS Management Console and navigate to the CloudTrail service.
- 2.
In the CloudTrail dashboard, select the non-compliant trail that requires encryption.
- 3.
Click on the "Edit" button to modify the trail settings.
- 4.
Scroll down to the "Management events" section or any custom event sections for which you want to enable encryption.
- 5.
Ensure that the "Create a new S3 bucket" checkbox is selected or, if using an existing bucket, skip to the next step.
- 6.
Under "Advanced settings," ensure that the "Encryption" option is set to "Enabled."
- 7.
Select "AWS Key Management Service (AWS KMS)" as the encryption method.
- 8.
Select an appropriate KMS CMK from the dropdown or create a new customer-managed CMK by clicking on the "Create a new custom CMK" link.
- 9.
Confirm that the selected KMS CMK is configured with NIST 800-171 Revision 2 compliant encryption.
- 10.
Review other trail settings and make any necessary changes.
- 11.
Click on the "Save" button to save the trail configuration changes.
- 12.
Once saved, the CloudTrail trail will be encrypted with KMS CMK for NIST 800-171 Revision 2 compliance.
Conclusion
By following the above step-by-step instructions, you can ensure that your CloudTrail trails are encrypted with AWS KMS CMK for NIST 800-171 Revision 2 compliant encryption. This helps to meet the necessary security requirements and safeguards your CloudTrail logs.