This rule specifies that log group encryption at rest must be enabled for compliance.
Rule | Log group encryption at rest should be enabled |
Framework | NIST 800-53 Revision 5 |
Severity | ✔ High |
Log Group Encryption at Rest for NIST 800-53 Revision 5
Description
Log Group Encryption at Rest is a security measure that ensures the encryption of log data stored within Amazon Web Services (AWS) CloudWatch Log Groups. By enabling this feature, log data is protected from unauthorized access and helps comply with security requirements based on the NIST 800-53 Revision 5 standard.
Troubleshooting Steps
If an issue arises with Log Group Encryption at Rest, follow these troubleshooting steps:
Check the permissions: Ensure that the IAM user or role trying to enable encryption has the necessary permissions. The user/role must have the
cloudwatch:CreateLogStream
and cloudwatch:PutRetentionPolicy
permissions, along with kms:GenerateDataKey
and kms:Encrypt
permissions on the KMS key associated with the log group.Verify encryption status: Use the AWS Command Line Interface (CLI) to check the encryption status of the log group using the following command:
aws logs describe-log-groups --log-group-name <log_group_name>
Look for the
kmsKeyId
field, which should have a valid Key Management Service (KMS) Key ID associated with encryption. If it returns an empty value, encryption is not enabled.Check KMS Key permissions: Ensure that the KMS Key associated with the log group has the necessary permissions. The key policy should allow the IAM user/role to perform encryption and decryption operations.
Verify KMS Key availability: Ensure that the KMS Key associated with the log group is in the correct region and available for use. If the key is not accessible or deleted, you may encounter issues with encryption.
Necessary Codes
Below are some necessary codes for enabling Log Group Encryption at Rest:
AWS CLI command to enable encryption for a log group:
aws logs put-retention-policy --log-group-name <log_group_name> --retention-in-days <retention_days>
Note: Replace
<log_group_name>
with the name of the log group you want to encrypt and <retention_days>
with the desired retention period for log data.AWS CLI command to set the master key for KMS encryption:
aws kms create-alias --alias-name <alias_name> --target-key-id <kms_key_id>
Note: Replace
<alias_name>
with the desired alias for the KMS key and <kms_key_id>
with the ARN or key ID of the KMS key.Step-by-Step Guide for Remediation
Follow these steps to enable Log Group Encryption at Rest based on the NIST 800-53 Revision 5 standard:
Identify the desired log group: Determine the log group you want to enable encryption for. Note down the log group name or make a list of log groups that require encryption.
Set up KMS Key: If you haven't already, create a KMS Key in the desired region and ensure it has the necessary permissions for encryption and decryption operations. Note down the key's ARN or Key ID.
Enable Log Group Encryption: Use the AWS CLI command provided earlier to enable encryption for each identified log group. Replace
<log_group_name>
with the appropriate log group name and <retention_days>
with the desired retention period (in days) for your log data.Associate KMS Key with Log Group: To link the KMS Key with the log group, use the AWS CLI command for setting the master key alias. Replace
<alias_name>
with an alias name of your choice and <kms_key_id>
with the ARN or Key ID of the KMS key.Verify Encryption Status: Use the AWS CLI command to describe the log groups and check the encryption status. Ensure that the
kmsKeyId
field returns the correct Key ID or ARN associated with encryption.Test Log Group Encryption: Write logs to the log group and verify that the data is encrypted at rest. You can check the encryption status of the log data in the AWS Management Console or by using the AWS CLI command.
By following these steps, you will successfully enable Log Group Encryption at Rest for NIST 800-53 Revision 5 compliance.