Rule: CloudTrail Trail Logs Encrypted with KMS CMK
Ensure that CloudTrail trail logs are encrypted using KMS CMK for enhanced security.
| Rule | CloudTrail trail logs should be encrypted with KMS CMK |
| Framework | NIST 800-53 Revision 5 |
| Severity | ✔ Critical |
Rule Description
This rule enforces that CloudTrail trails are encrypted using a Key Management Service (KMS) Customer Master Key (CMK) that complies with the NIST 800-53 Revision 5 standards. Encrypting CloudTrail logs ensures the confidentiality of log data and prevents unauthorized access to sensitive information.
Troubleshooting Steps
If a CloudTrail trail is not encrypted with a KMS CMK that complies with NIST 800-53 Revision 5, follow these troubleshooting steps:
- 1.
Verify the CloudTrail trail encryption status: Check the CloudTrail trail settings to determine if encryption is enabled or not.
- 2.
Check KMS CMK settings: Confirm that the KMS CMK being used for CloudTrail encryption meets the NIST 800-53 Revision 5 standards. Verify the key policy, key rotation status, and key usage.
- 3.
Review AWS Identity and Access Management (IAM) policies: Ensure that the IAM policies associated with CloudTrail, KMS, and S3 (if applicable) allow proper access and permissions for encryption, decryption, and key management.
- 4.
Validate trail configuration: Ensure that the CloudTrail trail is configured properly, including the correct log file validation settings and log file integrity options.
Necessary Codes
The following code snippet demonstrates how to create a new CloudTrail trail with encryption using a KMS CMK:
aws cloudtrail create-trail --name <trail-name> --s3-bucket-name <bucket-name> --kms-key-id <kms-key-id> --is-multi-region --is-organization-trail
Replace
<trail-name><bucket-name><kms-key-id>Remediation Steps
Follow these steps to remediate the CloudTrail trail encryption issue:
- 1.
Identify the existing CloudTrail trails: List all existing trails to determine which ones are not encrypted with a compliant KMS CMK.
aws cloudtrail describe-trails - 2.
Create a new KMS CMK: If you don't have a compliant KMS CMK, create a new one that meets NIST 800-53 Revision 5 standards.
aws kms create-key --description "CloudTrail Encryption Key" --policy <policy-json>Replace
with the JSON policy document specifying the required permissions, including the appropriate Key Policy for NIST 800-53 Revision 5 compliance.<policy-json> - 3.
Configure the CloudTrail trail encryption: Update the CloudTrail trails to use the newly created KMS CMK for encryption.
aws cloudtrail update-trail --name <trail-name> --kms-key-id <kms-key-id>Replace
with the name of the CloudTrail trail that needs to be encrypted and<trail-name>
with the ARN of the compliant KMS CMK.<kms-key-id> - 4.
Validate the encryption status: Verify that the CloudTrail trails are now encrypted with the designated KMS CMK.
aws cloudtrail describe-trails --trail-name-list <trail-name>Replace
with the name of the updated CloudTrail trail.<trail-name>
By following these steps, you can ensure that CloudTrail trails are encrypted with a KMS CMK that complies with NIST 800-53 Revision 5 standards, enhancing the security and compliance posture of your AWS environment.