Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Rule: CloudTrail Trail Logs Encrypted with KMS CMK

This rule ensures that CloudTrail trail logs are encrypted with KMS Customer Master Key (CMK).

RuleCloudTrail trail logs should be encrypted with KMS CMK
FrameworkNIST 800-53 Revision 5
Severity
Critical

Rule Description

CloudTrail is a service provided by AWS that enables governance, compliance, operational auditing, and risk auditing of AWS account activities. It provides detailed logs of the actions taken by users, services, or APIs in your AWS account. Encrypting these logs with AWS Key Management Service (KMS) Customer Managed Keys (CMK) enhances security and ensures compliance with NIST 800-53 Revision 5 guidelines.

Remediation

To ensure that CloudTrail trail logs are encrypted with KMS CMK for NIST 800-53 Revision 5 compliance, follow the step-by-step guide below:

1. Create a KMS Customer Managed Key (CMK)

If you don't already have a CMK to encrypt the CloudTrail logs, follow these steps to create one:

  1. 1.
    Open the AWS Management Console.
  2. 2.
    Go to the Key Management Service (KMS) console.
  3. 3.
    Click on "Customer managed keys" in the left sidebar.
  4. 4.
    Click on "Create key" and select "Symmetric" key type.
  5. 5.
    Choose an alias name and description for your CMK.
  6. 6.
    Select the appropriate key policy, which should align with NIST 800-53 Revision 5 guidelines.
  7. 7.
    Click on "Next" and review the key configuration.
  8. 8.
    Click on "Finish" to create the CMK.

2. Encrypt CloudTrail Trail Logs with the CMK

Once you have a CMK ready, follow these steps to encrypt the CloudTrail logs:

  1. 1.
    Open the AWS Management Console.
  2. 2.
    Go to the CloudTrail console.
  3. 3.
    Click on "Trails" in the left sidebar.
  4. 4.
    Select the trail that you want to encrypt.
  5. 5.
    Click on "Edit".
  6. 6.
    Under "Advanced" settings, enable "Enable log file encryption".
  7. 7.
    Select the appropriate KMS CMK from the dropdown list.
  8. 8.
    Click on "Save" to apply the changes.

3. Verify Encryption

To confirm that the CloudTrail trail logs are encrypted with the correct CMK, follow these steps:

  1. 1.
    Open the AWS Management Console.
  2. 2.
    Go to the CloudTrail console.
  3. 3.
    Click on "Trails" in the left sidebar.
  4. 4.
    Select the encrypted trail.
  5. 5.
    In the "Overview" tab, check if the "Encryption" field shows the CMK that you configured earlier.
  6. 6.
    Review the trail logs and ensure that they are encrypted and accessible only through the specified CMK.

Troubleshooting

If you encounter any issues during the process, consider the following troubleshooting steps:

1. CMK Creation Failure

  • Double-check your IAM permissions to ensure that you have the necessary permissions to create a CMK.
  • Ensure that you meet the regional restrictions for CMK creation.
  • Make sure you have not exceeded the quota limit for CMKs in your account.

2. CloudTrail Encryption Failure

  • Verify that you have the required IAM permissions to modify the CloudTrail trail configuration.
  • Ensure that the selected CMK is in the same AWS region as the trail logs.
  • Check if the selected CMK is marked as "Enabled" in the KMS console.
  • Review the key policy to confirm it aligns with NIST 800-53 Revision 5 guidelines.
  • Make sure the CloudTrail service is not experiencing any disruptions or outages.

If the issue persists or you need further assistance, consider reaching out to AWS Support for additional troubleshooting and guidance.

Additional Notes

Encrypting CloudTrail logs with a KMS CMK adds an extra layer of security to protect your sensitive data, ensuring compliance with NIST 800-53 Revision 5 guidelines. Always monitor the status of your CloudTrail trails and regularly review the encryption settings to maintain the integrity and confidentiality of your logs.

Is your System Free of Underlying Vulnerabilities?
Find Out Now