Rule: CloudTrail Trail Logs Encrypted with KMS CMK

This rule ensures that CloudTrail trail logs are encrypted using KMS Customer Master Keys.

Rule	CloudTrail trail logs should be encrypted with KMS CMK
Framework	RBI Cyber Security Framework
Severity	✔ Critical

Rule Description

This rule is part of the RBI Cyber Security Framework and requires that all CloudTrail trails in your AWS account have their logs encrypted using a Key Management Service (KMS) Customer Master Key (CMK). Encrypting CloudTrail logs ensures that sensitive data and activities within your AWS account are protected from unauthorized access.

Remediation Steps

To comply with this rule, you need to configure encryption settings for your CloudTrail trails and use a KMS CMK for the encryption.

Troubleshooting Steps

1.

Make sure you have appropriate permissions to access and manage CloudTrail and KMS resources.

2.

Check if you have already enabled CloudTrail for your AWS account. If not, follow the AWS documentation to enable CloudTrail.

3.

Verify if you have a KMS CMK available for encryption. If not, create a new CMK or use an existing one.

4.
Ensure that your IAM role has the necessary permissions to access the CMK. Grant the required
```
kms:Encrypt
```
permission to the role associated with the CloudTrail trail (usually
```
AWSServiceRoleForCloudTrail
```
).

Encryption Configuration

Follow these steps to encrypt your CloudTrail logs using a KMS CMK:

1.

Open the AWS Management Console and navigate to the CloudTrail service.

2.

Select the appropriate CloudTrail trail or create a new trail.

3.

In the trail settings, locate the "S3 bucket" section and ensure that "Enable log file encryption" is enabled.

4.

Select the "AWS Key Management Service (KMS)" option for encryption.

5.

Choose the desired KMS CMK from the dropdown list.

6.

Save the trail settings to apply the encryption configuration.

Verification

To ensure that your CloudTrail logs are properly encrypted with a KMS CMK, you can perform the following checks:

1.

Confirm that the CloudTrail trail you configured is capturing logs by reviewing the S3 bucket designated for CloudTrail logs.

2.

Verify that the CloudTrail logs in the S3 bucket are encrypted. You can do this by examining the properties of the log files and checking for encryption status.

3.

Validate that the KMS CMK specified for encryption is the correct one by checking the trail settings or reviewing the CloudTrail configuration using the AWS CLI.

AWS CLI Command

In case you prefer using the AWS CLI, you can use the following command to enable log file encryption for an existing CloudTrail trail:

aws cloudtrail update-trail --name <trail-name> --kms-key-id <kms-key-id> --enable-log-file-encryption

Replace

<trail-name>

with the name of your CloudTrail trail and

<kms-key-id>

with the key ID of your desired KMS CMK.

Remember to provide appropriate IAM user/role credentials with necessary permissions while executing the command.

Conclusion

By following these steps, you can ensure that your CloudTrail logs are encrypted using a KMS CMK, meeting the encryption requirements under the RBI Cyber Security Framework. Encrypting your logs adds an extra layer of security by protecting sensitive activities and data within your AWS account.

Rule: CloudTrail Trail Logs Encrypted with KMS CMK

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}Troubleshooting Steps

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}Encryption Configuration

Is your System Free of Underlying Vulnerabilities? Find Out Now

Troubleshooting Steps

Encryption Configuration

Is your System Free of Underlying Vulnerabilities?
Find Out Now