CloudTrail Trail Logs Encrypted with KMS CMK Rule
This rule ensures that CloudTrail trail logs are encrypted with KMS CMK for enhanced security.
| Rule | CloudTrail trail logs should be encrypted with KMS CMK |
| Framework | NIST 800-53 Revision 5 |
| Severity | ✔ Critical |
Rule Description:
This rule or policy ensures that CloudTrail trail logs are encrypted using a Key Management Service (KMS) Customer Master Key (CMK) that adheres to the NIST 800-53 Revision 5 security standards. Encrypting the trail logs adds an additional layer of protection to prevent unauthorized access or tampering of the logs. By using KMS CMK, you can centrally manage and control access to the encryption keys.
Troubleshooting Steps (if applicable):
- 1.Verify if an existing CloudTrail trail is already configured.
- 2.Check if the trail logs are currently encrypted using KMS CMK.
- 3.Validate if the CMK used for encryption meets the NIST 800-53 Revision 5 standards.
- 4.Ensure that the appropriate IAM policies are configured for accessing the CMK.
Necessary Codes (if applicable):
There are no specific codes required for this rule; instead, it involves configuration and encryption settings within the AWS Management Console or AWS CLI.
Step-by-Step Guide for Remediation:
Option 1: AWS Management Console
- 1.Open the AWS Management Console.
- 2.Navigate to the CloudTrail service.
- 3.Select the desired trail that needs encryption.
- 4.Click on the "Edit" button on the trail configuration panel.
- 5.Under the section "Storage location," ensure that "Encrypt log files" is checked.
- 6.Choose the appropriate KMS CMK from the dropdown menu or click on the "Create new key" option to create a new CMK.
- 7.If creating a new CMK, ensure that it adheres to the NIST 800-53 Revision 5 standards.
- 8.Save the changes and confirm that trail logs are now encrypted with the selected KMS CMK.
Option 2: AWS CLI
- 1.Ensure that you have the AWS CLI installed and configured with appropriate IAM permissions.
- 2.Open a terminal or command prompt.
- 3.Run the following command to modify the CloudTrail trail configuration:
aws cloudtrail update-trail --name [TRAIL_NAME] --kms-key-id [KMS_CMK_ID] --is-organization-trail [true|false] --regions [AWS_REGIONS]
Replace the placeholders:
- [TRAIL_NAME] - The name of the existing CloudTrail trail.
- [KMS_CMK_ID] - The ID of the KMS CMK to be used for encryption.
- [true|false] - Specify whether the trail is an organization trail or not. Choose "true" or "false" accordingly.
- [AWS_REGIONS] - Optional parameter to specify the AWS regions to include in the trail. Please list the regions as comma-separated (e.g.,
).us-east-1,us-west-2
Example command:
aws cloudtrail update-trail --name my-trail --kms-key-id 12345678-1234-1234-1234-123456789012 --is-organization-trail false --regions us-east-1
- 1.Verify the trail configuration by checking the CloudTrail settings in the AWS Management Console or using the CLI command:
aws cloudtrail describe-trails --trail-name-list [TRAIL_NAME]
Replace the placeholder:
- [TRAIL_NAME] - The name of the CloudTrail trail.
Example command:
aws cloudtrail describe-trails --trail-name-list my-trail
Confirm that the trail logs are now encrypted using the specified KMS CMK.
Note: Remember to replace the placeholder values with your actual values according to your AWS environment.
By following these steps, you can ensure that your CloudTrail trail logs are encrypted using a KMS CMK that adheres to the NIST 800-53 Revision 5 standards.