Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Rule: Log Group Encryption at Rest Enabled

This rule ensures that log group encryption at rest is enabled for enhanced security measures.

RuleLog group encryption at rest should be enabled
FrameworkNIST 800-53 Revision 5
Severity
High

Rule Description:

Log group encryption at rest ensures that the data stored in the log group is securely encrypted, providing an additional layer of protection against unauthorized access. Enabling log group encryption at rest is a recommended security practice, particularly for compliance with NIST 800-53 Revision 5 standards.

Troubleshooting Steps:

  1. 1.
    Check if the AWS CloudWatch log groups are encrypted at rest.
  2. 2.
    Verify if the appropriate encryption settings are enabled.
  3. 3.
    Ensure that the log groups are encrypted with a secure encryption algorithm.
  4. 4.
    Verify permissions and access control policies for the log groups.
  5. 5.
    Review AWS CloudTrail logs for any relevant security events or issues related to log group encryption.

Necessary Codes:

There are no specific codes required for this rule. The configuration settings can be updated through the AWS Management Console, AWS Command Line Interface (CLI), or AWS CloudFormation.

Remediation Steps:

The following steps will guide you through enabling log group encryption at rest for NIST 800-53 Revision 5 compliance:

  1. 1.

    Step 1: Login to the AWS Management Console.

  2. 2.

    Step 2: Go to the CloudWatch service.

  3. 3.

    Step 3: From the left-hand side menu, select "Logs" under "CloudWatch."

  4. 4.

    Step 4: In the left-hand navigation pane, click on "Log groups."

  5. 5.

    Step 5: Select the log group that needs to be encrypted.

  6. 6.

    Step 6: Click on the "Actions" button above the log groups list.

  7. 7.

    Step 7: Choose "Encrypt Log Group" from the drop-down menu.

  8. 8.

    Step 8: In the encryption dialog box, select the desired encryption algorithm, such as AWS Key Management Service (KMS).

  9. 9.

    Step 9: Choose the appropriate KMS key or create a new one if needed.

  10. 10.

    Step 10: Click "Encrypt" to enable log group encryption at rest.

  11. 11.

    Step 11: Repeat steps 5 to 10 for each log group that requires encryption.

  12. 12.

    Step 12: Verify the encryption status by checking the "Encryption" column in the log groups list. It should display "Enabled" for the encrypted log groups.

Additional Notes:

  • Ensure that appropriate key management policies are in place to safeguard the KMS keys used for log group encryption.
  • Regularly review and monitor the log groups' encryption status and apply updates as needed.
  • Consider automating the log group encryption process using AWS CLI or AWS CloudFormation templates to ensure consistent encryption configuration across multiple log groups.

Is your System Free of Underlying Vulnerabilities?
Find Out Now