Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Rule: CloudTrail Trail Logs Encrypted with KMS CMK

This rule ensures that CloudTrail trail logs are encrypted with KMS Customer Master Key (CMK).

RuleCloudTrail trail logs should be encrypted with KMS CMK
FrameworkNIST Cybersecurity Framework (CSF) v1.1
Severity
Critical

CloudTrail Log Encryption with KMS CMK for NIST CSF Compliance

Amazon CloudTrail is an essential AWS service that records API calls and related events for your AWS account. Encrypting these logs is vital for security and compliance with various frameworks, including the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF).

Rule Details

AWS CloudTrail logs should be encrypted using a customer-managed AWS Key Management Service (KMS) Customer Master Key (CMK) to align with NIST CSF recommendations. Using a CMK provides enhanced security features like key policies and audit trails over the default AWS managed keys.

Requirements

  • CloudTrail logs must be delivered to an Amazon S3 bucket.
  • S3 bucket should have server-side encryption enabled with a KMS CMK.

Necessary Steps and Commands

Step 1: Validate CloudTrail Configuration

First, check if there is an existing CloudTrail and its current encryption status.

aws cloudtrail describe-trails

This command lists the trails and shows details like

KmsKeyId
if they're encrypted with KMS keys.

Step 2: Create a KMS CMK

If a CMK isn't present, create one using the command below:

aws kms create-key --description "CloudTrail CMK for NIST CSF"

Record the returned

KeyId
.

Step 3: Update Key Policy

Modify the key policy to allow CloudTrail to use the CMK.

# Modify the key policy JSON file and then use the command:
aws kms put-key-policy --key-id <your_key_id> --policy-name default --policy <your_policy_file.json>

Step 4: Enable Log File Encryption with CMK

Update the CloudTrail to use the new CMK for encryption.

aws cloudtrail update-trail --name YourTrailName --kms-key-id alias/YourKMSCMKAlias

Step 5: Validate Encryption

To confirm that CloudTrail logs are now being encrypted with your CMK:

aws cloudtrail get-trail-status --name YourTrailName

Check the output for information related to log file encryption.

Troubleshooting Steps

If you encounter an issue, review these troubleshooting steps:

Log Encryption Not Enabled

Ensure the CloudTrail trail is configured with a KMS CMK, not the default S3 encryption. Review the commands in Step 1 and Step 4 for verifying and updating the trail configuration.

Access Denied Errors

When using a CMK for encryption, ensure that the necessary permissions are in place for CloudTrail to use the CMK. This may involve updating the key policy and ensuring that the trail’s IAM role has the appropriate privileges.

Monitoring Key Usage

Monitor for unauthorized CMK usage and ensure access is as intended.

aws cloudtrail lookup-events --lookup-attributes AttributeKey=ResourceName,AttributeValue=<key-id>

Remediation: Enforce Encryption on all Trails

To ensure all trails use CMK-encrypted S3 buckets, you can use AWS Config rules to automatically detect and remediate non-compliant trails. Automate remediation with AWS Lambda or enforce compliance via organization-wide policies.

This setup ensures your CloudTrail logs are encrypted according to NIST CSF guidance and helps strengthen your AWS infrastructure's security posture. Compliance with NIST CSF, including log encryption, not only preserves data integrity and confidentiality but also can improve SEO by showcasing commitment to security, thereby building trust with users and search engines.

Is your System Free of Underlying Vulnerabilities?
Find Out Now