Rule: Log Group Encryption at Rest Should Be Enabled
Ensure that log group encryption at rest is enabled for compliance.
| Rule | Log group encryption at rest should be enabled |
| Framework | NIST 800-53 Revision 5 |
| Severity | ✔ High |
Rule Details
The rule requires that the log group encryption at rest feature is enabled for compliance with the NIST 800-53 Revision 5 standard. This ensures that log data stored in CloudWatch Logs is protected from unauthorized access by encrypting it while at rest.
Enabling encryption at rest for log groups adds an additional layer of security to log data stored in CloudWatch Logs. By encrypting the data, it becomes unreadable to anyone without the appropriate decryption keys, thus safeguarding sensitive information from unauthorized disclosure.
Troubleshooting Steps
- 1.
Verify Encryption Status: Check if encryption at rest is already enabled for the log group in question. Use the AWS Management Console or AWS CLI to view the encryption status of the log group. Ensure that encryption is enabled.
- 2.
Ensure Correct IAM Policies: Verify that appropriate IAM policies are in place to allow the required permissions for enabling encryption at rest. Check the IAM policy attached to the necessary IAM role or user to ensure necessary permissions for encryption operations.
- 3.
Check KMS Key Permissions: Ensure that the Key Management Service (KMS) key used for encryption has the necessary permissions. The IAM policy of the KMS key should allow the appropriate log group resource to use the key for encryption and decryption.
- 4.
Verify AWS KMS Configuration: Confirm that the AWS KMS key assigned to the log group is correctly configured. Check that the key is in the correct region and has the necessary key policy settings enabled.
- 5.
Review CloudTrail Logs: If troubleshooting has not resolved the issue, review the CloudTrail logs for any related error messages or events that may provide additional insights into the problem. This can help identify any misconfigurations or missing permissions related to log group encryption at rest.
Necessary Codes
No specific code is provided as the resolution for enabling log group encryption at rest is primarily a configuration change within the AWS Management Console or via the AWS Command Line Interface.
Step-by-Step Guide for Remediation
- 1.
Open the AWS Management Console and navigate to the CloudWatch Logs service.
- 2.
Locate the log group for which encryption at rest needs to be enabled.
- 3.
Click on the log group to open its details.
- 4.
In the Encryption section, confirm if encryption is already enabled. If not, proceed to the next step.
- 5.
Click the "Edit" button next to "Encryption".
- 6.
Select the appropriate Key Management Service (KMS) Key that will be used for encryption.
- 7.
Ensure that the "Enable log data for all newly created log streams" option is selected to encrypt all future log streams automatically.
- 8.
Click the "Save" button to save the changes.
- 9.
Verify that the log group encryption at rest is now enabled by checking the Encryption section.
- 10.
Repeat these steps for any other log groups that require encryption at rest.
By following these steps, log group encryption at rest can be enabled for compliance with the NIST 800-53 Revision 5 standard.