Products

Solutions

Company

Book A Live Demo

Rule: Log Group Encryption at Rest Should Be Enabled

This rule ensures that log group encryption at rest is enabled to protect sensitive data stored in log groups.

Rule	Log group encryption at rest should be enabled
Framework	NIST 800-53 Revision 5
Severity	✔ High

Log Group Encryption at Rest for NIST 800-53 Revision 5

Description

Log Group Encryption at Rest is a security measure that ensures log data stored in AWS CloudWatch Logs is encrypted to protect it from unauthorized access. Enabling encryption at rest for log groups is particularly important for organizations that need to comply with NIST 800-53 Revision 5, which provides security and privacy controls for federal information systems.

When encryption at rest is enabled, AWS CloudWatch Logs will use AWS Key Management Service (KMS) to encrypt log data before storing it. This reduces the risk of data breaches and ensures that log data cannot be read or tampered with by unauthorized individuals.

Troubleshooting Steps

If log group encryption at rest is not enabled or encounters issues, here are the troubleshooting steps you can follow:

1.
Ensure you have the necessary permissions: Verify that your IAM user or role has the required permissions to enable encryption at rest for AWS CloudWatch Logs. The user or role needs
```
kms:CreateGrant
```
and
```
kms:ReEncrypt
```
permissions for the KMS key used for encryption.

2.

Check if a KMS key is assigned: Ensure that a KMS key is assigned to the log group for encryption at rest. If not, you can assign a KMS key by following the remediation steps provided below.

3.

Verify KMS key permissions: Validate that the KMS key assigned to the log group has the necessary permissions. The key policy should allow the IAM user or role to use the key for encryption and decryption operations.

4.

Check AWS CloudWatch Logs configuration: Make sure that the AWS CloudWatch Logs configuration is correctly set up for encryption at rest. Confirm that the encryption option is enabled or set to "DEFAULT". If not, follow the remediation steps to enable encryption.

5.

Review error messages: If you encounter any error messages, review them carefully to pinpoint the issue. Common errors might include lack of permissions, incorrect KMS key assignments, or configuration conflicts.

Remediation

To enable log group encryption at rest for NIST 800-53 Revision 5, follow these steps:

1.

Open the AWS Management Console and go to the AWS CloudWatch service.

2.

Navigate to the "Log groups" section.

3.

Select the log group for which you want to enable encryption at rest.

4.

Choose "Actions" and then click on "Edit log group".

5.

In the "Edit log group" modal, scroll down to the "Data ingestion settings" section.

6.

Locate the "Encryption" option and make sure it is enabled or set to "DEFAULT".

7.

If encryption is not enabled, click on the drop-down menu and select an encryption option that suits your needs. You can choose the default encryption or specify a custom KMS key for encryption.

8.

Save the changes by clicking on the "Save" button.

9.

Verify that log group encryption at rest is now enabled by checking the log group's settings.

CLI Commands

Alternatively, you can use the AWS Command Line Interface (CLI) to enable log group encryption at rest. Here are the necessary CLI commands:

1.
To enable encryption at rest for a log group using the default AWS KMS key:

aws logs put-retention-policy --log-group-name <log-group-name> --retention-in-days <retention-days> --region <region-name>

1.
To enable encryption at rest for a log group using a custom AWS KMS key:

aws logs put-retention-policy --log-group-name <log-group-name> --retention-in-days <retention-days> --kms-key-id <kms-key-id> --region <region-name>

Ensure you replace

<log-group-name>

with the name of your log group,

<retention-days>

with the desired retention period,

<region-name>

with the AWS region of your log group, and

<kms-key-id>

with the ID of the custom AWS KMS key.

Conclusion

Enabling log group encryption at rest for NIST 800-53 Revision 5 is crucial for maintaining the security and privacy of log data stored in AWS CloudWatch Logs. By following the troubleshooting steps and the remediation guide, you can ensure that your log data is securely encrypted and protected from unauthorized access.

Rule: Log Group Encryption at Rest Should Be Enabled

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}Description

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}Troubleshooting Steps

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}Remediation

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}CLI Commands

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}Conclusion

Is your System Free of Underlying Vulnerabilities? Find Out Now

Description

Troubleshooting Steps

Remediation

CLI Commands

Conclusion

Is your System Free of Underlying Vulnerabilities?
Find Out Now