Rule: CloudTrail Trail Logs Encrypted with KMS CMK
This rule ensures that CloudTrail trail logs are encrypted with KMS Customer Master Key (CMK).
| Rule | CloudTrail trail logs should be encrypted with KMS CMK |
| Framework | NIST Cybersecurity Framework (CSF) v1.1 |
| Severity | ✔ Critical |
CloudTrail Log Encryption with KMS CMK for NIST CSF Compliance
Amazon CloudTrail is an essential AWS service that records API calls and related events for your AWS account. Encrypting these logs is vital for security and compliance with various frameworks, including the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF).
Rule Details
AWS CloudTrail logs should be encrypted using a customer-managed AWS Key Management Service (KMS) Customer Master Key (CMK) to align with NIST CSF recommendations. Using a CMK provides enhanced security features like key policies and audit trails over the default AWS managed keys.
Requirements
- CloudTrail logs must be delivered to an Amazon S3 bucket.
- S3 bucket should have server-side encryption enabled with a KMS CMK.
Necessary Steps and Commands
Step 1: Validate CloudTrail Configuration
First, check if there is an existing CloudTrail and its current encryption status.
aws cloudtrail describe-trails
This command lists the trails and shows details like
KmsKeyIdStep 2: Create a KMS CMK
If a CMK isn't present, create one using the command below:
aws kms create-key --description "CloudTrail CMK for NIST CSF"
Record the returned
KeyIdStep 3: Update Key Policy
Modify the key policy to allow CloudTrail to use the CMK.
# Modify the key policy JSON file and then use the command: aws kms put-key-policy --key-id <your_key_id> --policy-name default --policy <your_policy_file.json>
Step 4: Enable Log File Encryption with CMK
Update the CloudTrail to use the new CMK for encryption.
aws cloudtrail update-trail --name YourTrailName --kms-key-id alias/YourKMSCMKAlias
Step 5: Validate Encryption
To confirm that CloudTrail logs are now being encrypted with your CMK:
aws cloudtrail get-trail-status --name YourTrailName
Check the output for information related to log file encryption.
Troubleshooting Steps
If you encounter an issue, review these troubleshooting steps:
Log Encryption Not Enabled
Ensure the CloudTrail trail is configured with a KMS CMK, not the default S3 encryption. Review the commands in Step 1 and Step 4 for verifying and updating the trail configuration.
Access Denied Errors
When using a CMK for encryption, ensure that the necessary permissions are in place for CloudTrail to use the CMK. This may involve updating the key policy and ensuring that the trail’s IAM role has the appropriate privileges.
Monitoring Key Usage
Monitor for unauthorized CMK usage and ensure access is as intended.
aws cloudtrail lookup-events --lookup-attributes AttributeKey=ResourceName,AttributeValue=<key-id>
Remediation: Enforce Encryption on all Trails
To ensure all trails use CMK-encrypted S3 buckets, you can use AWS Config rules to automatically detect and remediate non-compliant trails. Automate remediation with AWS Lambda or enforce compliance via organization-wide policies.
This setup ensures your CloudTrail logs are encrypted according to NIST CSF guidance and helps strengthen your AWS infrastructure's security posture. Compliance with NIST CSF, including log encryption, not only preserves data integrity and confidentiality but also can improve SEO by showcasing commitment to security, thereby building trust with users and search engines.