Profile Applicability: Level 2


Description: 

AWS CloudTrail is a web service that records AWS API calls for an account and makes those logs available to users and resources in accordance with IAM policies. AWS Key Management Service (KMS) is a managed service that helps create and control the encryption keys used to encrypt account data and uses Hardware Security Modules (HSMs) to protect the security of encryption keys. CloudTrail logs can be configured to leverage server-side encryption (SSE) and KMS customer-created master keys (CMK) to further protect CloudTrail logs. It is recommended that CloudTrail be configured to use SSE-KMS.

Rationale: 

Configuring CloudTrail to use SSE-KMS provides additional confidentiality controls on log data as a given user must have S3 read permission on the corresponding log bucket and must be granted decrypt permission by the CMK policy.


Impact:

If you create a CMK in the CloudTrail console, CloudTrail adds the required CMK policy for you. You do not need to manually add the policy statements. Customer-created keys incur an additional cost. See https://aws.amazon.com/kms/pricing/ for more information.

Audit: 

Perform the following to determine if CloudTrail is configured to use SSE-KMS: Via the Management Console 

  1. Sign in to the AWS Management Console

  2. open the CloudTrail console at https://console.aws.amazon.com/cloudtrail 

  3. In the left navigation pane, choose Trails

  4. Select a Trail you want to examine

  5. In General details check Logfile SSE-KMS encryption is enabled or disabled

    If the encryption is not enabled follow the implementation steps to enable it.


Via CLI:

aws cloudtrail describe-trails


Remediation:

Pre-Requisite: 

  1. Sign in as admin or IAM user with required permissions

  2. Need AWS KMS key


Implementation Steps:

Perform the following to configure CloudTrail to use SSE-KMS: Via the Management Console 

  1. Sign in to the AWS Management Console

  2. open the CloudTrail console at https://console.aws.amazon.com/cloudtrail 

  3. In the left navigation pane, choose Trails.

  4. Select the trail you want to modify and click on the edit

  5. Check the Enabled CheckBox under Log file SSE-KMS encryption, use the existing key or you can create New Key

  6. Click on save changes

    Note: Ensure the CMK is located in the same region as the S3 bucket 


Via CLI:

aws cloudtrail update-trail
    --name <bucketname>
    --kms-key-id <key-id>


Backout Plan: 

To disable the encryption follow the implementation steps and uncheck the Enabled checkBox under Log file SSE-KMS encryption. 


Reference: 

https://docs.aws.amazon.com/awscloudtrail/latest/userguide/encryptingcloudtrail-log-files-with-aws-kms.html 

http://docs.aws.amazon.com/kms/latest/developerguide/create-keys.html 


CIS Controls:

6 Maintenance, Monitoring, and Analysis of Audit Logs 

Maintenance, Monitoring and Analysis of Audit Logs