This rule ensures that log group encryption at rest is enabled for enhanced security measures.
Rule | Log group encryption at rest should be enabled |
Framework | NIST 800-53 Revision 5 |
Severity | ✔ High |
Rule Description:
Log group encryption at rest ensures that the data stored in the log group is securely encrypted, providing an additional layer of protection against unauthorized access. Enabling log group encryption at rest is a recommended security practice, particularly for compliance with NIST 800-53 Revision 5 standards.
Troubleshooting Steps:
Necessary Codes:
There are no specific codes required for this rule. The configuration settings can be updated through the AWS Management Console, AWS Command Line Interface (CLI), or AWS CloudFormation.
Remediation Steps:
The following steps will guide you through enabling log group encryption at rest for NIST 800-53 Revision 5 compliance:
Step 1: Login to the AWS Management Console.
Step 2: Go to the CloudWatch service.
Step 3: From the left-hand side menu, select "Logs" under "CloudWatch."
Step 4: In the left-hand navigation pane, click on "Log groups."
Step 5: Select the log group that needs to be encrypted.
Step 6: Click on the "Actions" button above the log groups list.
Step 7: Choose "Encrypt Log Group" from the drop-down menu.
Step 8: In the encryption dialog box, select the desired encryption algorithm, such as AWS Key Management Service (KMS).
Step 9: Choose the appropriate KMS key or create a new one if needed.
Step 10: Click "Encrypt" to enable log group encryption at rest.
Step 11: Repeat steps 5 to 10 for each log group that requires encryption.
Step 12: Verify the encryption status by checking the "Encryption" column in the log groups list. It should display "Enabled" for the encrypted log groups.
Additional Notes: