This rule ensures that CloudTrail trail logs are encrypted with KMS Customer Master Key (CMK).
Rule | CloudTrail trail logs should be encrypted with KMS CMK |
Framework | NIST 800-53 Revision 5 |
Severity | ✔ Critical |
Rule Description
CloudTrail is a service provided by AWS that enables governance, compliance, operational auditing, and risk auditing of AWS account activities. It provides detailed logs of the actions taken by users, services, or APIs in your AWS account. Encrypting these logs with AWS Key Management Service (KMS) Customer Managed Keys (CMK) enhances security and ensures compliance with NIST 800-53 Revision 5 guidelines.
Remediation
To ensure that CloudTrail trail logs are encrypted with KMS CMK for NIST 800-53 Revision 5 compliance, follow the step-by-step guide below:
1. Create a KMS Customer Managed Key (CMK)
If you don't already have a CMK to encrypt the CloudTrail logs, follow these steps to create one:
2. Encrypt CloudTrail Trail Logs with the CMK
Once you have a CMK ready, follow these steps to encrypt the CloudTrail logs:
3. Verify Encryption
To confirm that the CloudTrail trail logs are encrypted with the correct CMK, follow these steps:
Troubleshooting
If you encounter any issues during the process, consider the following troubleshooting steps:
1. CMK Creation Failure
2. CloudTrail Encryption Failure
If the issue persists or you need further assistance, consider reaching out to AWS Support for additional troubleshooting and guidance.
Additional Notes
Encrypting CloudTrail logs with a KMS CMK adds an extra layer of security to protect your sensitive data, ensuring compliance with NIST 800-53 Revision 5 guidelines. Always monitor the status of your CloudTrail trails and regularly review the encryption settings to maintain the integrity and confidentiality of your logs.