Login

Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Rule: CloudTrail trail logs should be encrypted with KMS CMK

This rule ensures encryption of CloudTrail trail logs with KMS CMK for enhanced security.

RuleCloudTrail trail logs should be encrypted with KMS CMK
FrameworkNIST 800-53 Revision 5
Severity
Critical

Rule Description

This rule requires that CloudTrail trails in your AWS account are encrypted using AWS Key Management Service (KMS) Customer Master Keys (CMKs) that comply with the NIST 800-53 Revision 5 security standard. Encrypting CloudTrail logs with a NIST-compliant CMK provides an additional layer of security, ensuring the confidentiality and integrity of your log data.

Troubleshooting Steps

If you encounter issues while implementing this rule, follow these steps to troubleshoot:

  2. 1.

    Check IAM Permissions: Ensure that the IAM user or role used to create or modify the CloudTrail trails has the necessary permissions to create or update encrypted trails with KMS CMKs. The user or role should have the 

    cloudtrail:CreateTrail
    and 
    cloudtrail:UpdateTrail
    permissions.

  4. 2.

    Verify KMS CMK Availability: Ensure that the KMS CMK you are using to encrypt the CloudTrail logs is available in the same AWS region as the trail. Check the KMS console to confirm the CMK's region and availability.

  6. 3.

    Validate Encryption Settings: Verify that you have specified the correct KMS CMK in the 

    kmsKeyId
    parameter while creating or updating the trail. Ensure that the CMK is compatible with the NIST 800-53 Revision 5 security standard.

  8. 4.

    CloudTrail Service Linked Role: Ensure that the CloudTrail service has the necessary permissions to access and use the KMS CMK. Check if the CloudTrail service role (normally named 

    AWSServiceRoleForCloudTrail
    ) has permission to use the CMK.

  10. 5.

    Check CloudTrail Status: Verify that the CloudTrail trail's status is "Logging". If the trail status is "Invalid", review the error message to identify the specific issue causing the failure.

Necessary Codes

No specific code is required for troubleshooting this rule. However, if you need to update or create a CloudTrail trail using AWS CLI, you can use the following command:

aws cloudtrail create-trail --name <trail-name> --s3-bucket-name <bucket-name> --kms-key-id <kms-key-id> --is-multi-region-trail --enable-log-file-validation

Replace 

<trail-name>
with the desired name for your CloudTrail trail, 
<bucket-name>
with the name of the S3 bucket where logs will be stored, and 
<kms-key-id>
with the ARN or alias of the KMS CMK you want to use for encryption.

Remediation Steps

To remediate this rule, follow these steps:

  2. 1.

    Create or Identify a NIST-compliant KMS CMK: Ensure that you have a NIST 800-53 Revision 5 compliant KMS CMK available in the same region where your CloudTrail trail is or will be located. If you don't have one, you can create a new CMK.

  4. 2.

    Update Existing Trail or Create a New Trail: If you have an existing trail, modify the trail settings to enable encryption using the NIST-compliant KMS CMK. If you don't have a trail, create one with the encryption settings configured.

  6. 3.

    Using AWS Management Console:

    • Open the AWS Management Console and navigate to the CloudTrail service.
    • Select the existing trail or create a new trail by clicking "Create trail."
    • Specify a unique trail name and choose the desired S3 bucket where logs should be stored.
    • Under "Advanced settings," select the correct KMS Key under "CloudTrail log file encryption options."
    • Enable the "Enable log file validation" option to ensure integrity checking.
    • Click "Create" or "Update trail" to save the changes.
  8. 4.

    Using AWS CLI:

    • Open the AWS CLI and execute the following command, replacing the placeholder values with your desired settings:
    aws cloudtrail create-trail --name <trail-name> --s3-bucket-name <bucket-name> --kms-key-id <kms-key-id> --is-multi-region-trail --enable-log-file-validation
    • Replace 
      <trail-name>
      with the desired name of the trail, 
      <bucket-name>
      with the name of the S3 bucket where logs will be stored, and 
      <kms-key-id>
      with the ARN or alias of the NIST-compliant KMS CMK.
  10. 5.

    Validation: Once the trail is created or updated, verify that the CloudTrail trail status is "Logging" in the CloudTrail console. Ensure that logs are being delivered to the specified S3 bucket and are encrypted with the NIST-compliant KMS CMK.

By following these remediation steps, you can ensure that your CloudTrail logs are encrypted with KMS CMKs that comply with the NIST 800-53 Revision 5 security standard.

Is your System Free of Underlying Vulnerabilities?
Find Out Now