Rule: CloudTrail trail logs should be encrypted with KMS CMK
This rule ensures encryption of CloudTrail trail logs with KMS CMK for data security.
| Rule | CloudTrail trail logs should be encrypted with KMS CMK |
| Framework | NIST 800-53 Revision 5 |
| Severity | ✔ Critical |
Rule Description
The rule requires enabling encryption for CloudTrail logs using a Key Management Service (KMS) Customer Master Key (CMK) that complies with the NIST 800-53 Revision 5 security controls.
Key Steps for Remediation
Follow the steps below to enable encryption for CloudTrail logs using the appropriate KMS CMK.
Step 1: Create a KMS Customer Managed Key
- 1.Open the AWS Management Console and navigate to the KMS service.
- 2.Click on "Create key" to create a new Customer Managed Key.
- 3.Choose the appropriate settings for the key, ensuring it complies with the NIST 800-53 Revision 5 security controls.
- 4.Take note of the Key ARN as it will be needed in the next steps.
Step 2: Verify Trail Configuration
- 1.Open the AWS Management Console and navigate to the CloudTrail service.
- 2.Select the desired trail from the trail list.
- 3.Verify that the trail is logging to an S3 bucket.
- 4.Ensure that "Enable log file validation" is enabled for added data integrity.
- 5.Click on "Edit" to modify the trail configuration.
Step 3: Enable Encryption
- 1.In the "S3 settings" section, select the desired S3 bucket.
- 2.Check the box for "Encrypt log files".
- 3.From the drop-down menu, select the KMS CMK previously created.
- 4.Click on "Save" to immediately apply the changes.
Troubleshooting Steps
Issue: No KMS CMK Available
If you haven't created a KMS CMK or don't have a suitable one, follow these steps:
- 1.Open the AWS Management Console and navigate to the KMS service.
- 2.Click on "Create key" to create a new Customer Managed Key.
- 3.Choose the appropriate settings for the key, ensuring it complies with the NIST 800-53 Revision 5 security controls.
- 4.Make a note of the Key ARN as it will be needed in the next steps.
Issue: Trail Configuration Not Found
If you're unable to find the trail for CloudTrail, follow these steps:
- 1.Open the AWS Management Console and navigate to the CloudTrail service.
- 2.Click on "Trails" in the left-hand menu.
- 3.Use the search field or scroll through the list to locate the desired trail.
Issue: Unable to Enable Encryption or Save Trail Configuration
If you encounter issues while enabling encryption or saving the trail configuration, ensure you have the necessary permissions. Check if you have the required IAM policy to perform these actions or contact your administrator for assistance.
Associated AWS CLI Command(s)
You can also use the AWS CLI to enable encryption for CloudTrail logs using the appropriate KMS CMK.
aws cloudtrail update-trail --name <trail_name> --kms-id <kms_cmk_arn>
Replace
<trail_name><kms_cmk_arn>References