Rule: CloudTrail logs should be encrypted at rest using AWS KMS CMKs
Ensure that CloudTrail logs are encrypted using AWS KMS CMKs for improved security measures.
| Rule | CloudTrail logs should be encrypted at rest using AWS KMS CMKs |
| Framework | PCI v3.2.1 |
| Severity | ✔ Medium |
Rule Description
The rule requires all CloudTrail logs to be encrypted at rest using AWS Key Management Service (KMS) Customer Master Keys (CMKs) to comply with the PCI DSS version 3 security standard. CloudTrail logs contain valuable information about API calls and can potentially expose sensitive data. By encrypting the logs using AWS KMS CMKs, data confidentiality and integrity can be maintained, ensuring compliance with PCI DSS v3 requirements.
Troubleshooting Steps
If there are any issues related to encrypting CloudTrail logs at rest using AWS KMS CMKs, follow the troubleshooting steps below:
- 1.
Verify AWS KMS permissions: Ensure that the AWS Identity and Access Management (IAM) roles and policies have sufficient permissions to access and use AWS KMS CMKs. Check if the CloudTrail service role has the necessary IAM policies attached.
- 2.
Check for encryption configuration: Confirm that the CloudTrail trails are configured to use AWS KMS for log file encryption. Use the AWS Management Console, AWS CLI, or AWS SDKs to verify the encryption settings for each CloudTrail trail.
- 3.
Check KMS key availability: Validate that the appropriate AWS KMS CMKs are available in your AWS account. Verify the key policy and ensure that the CloudTrail service role has sufficient access to use the key. If necessary, create a new AWS KMS CMK with the required permissions.
Necessary Code
No specific code is required for this rule.
Remediation Steps
Follow the step-by-step guide below to remediate non-compliant CloudTrail logs by enabling encryption at rest using AWS KMS CMKs.
- 1.
Step: Log in to the AWS Management Console.
- 2.
Step: Navigate to the CloudTrail service.
- 3.
Step: In the left navigation pane, click on "Trails."
- 4.
Step: Select the non-compliant CloudTrail trail.
- 5.
Step: Click on "Edit."
- 6.
Step: In the "Log file settings" section, locate the "Encryption" option.
- 7.
Step: Choose "Enable encryption."
- 8.
Step: Select the appropriate AWS KMS CMK from the dropdown menu.
- 9.
Step: Click on "Save" to apply the changes.
- 10.
Step: Repeat steps 4-9 for any other non-compliant CloudTrail trails.
- 11.
Step: Validate that the CloudTrail logs are now being encrypted at rest using AWS KMS CMKs.
CLI Commands
Although there are no specific CLI commands required for this rule, the following commands can be helpful for troubleshooting and verification purposes:
- 1.To check CloudTrail trail settings:
aws cloudtrail describe-trails --trail-name-list <trail-name>
- 1.To list available AWS KMS CMKs:
aws kms list-keys
- 1.To get details of a specific AWS KMS CMK:
aws kms describe-key --key-id <key-id>
Replace
<trail-name><key-id>Ensure that the AWS CLI is properly configured with valid IAM credentials to execute the commands successfully.
Conclusion
By following the remediation steps and ensuring that CloudTrail logs are encrypted at rest using AWS KMS CMKs, your environment will be compliant with the PCI DSS v3 rule. Regularly review the CloudTrail logs and perform periodic checks to ensure ongoing compliance with the required security standard.