Profile Applicability: Level 2


Description: 

AWS CloudTrail is a web service that records AWS API calls for an account and makes those logs available to users and resources in accordance with IAM policies. AWS Key Management Service (KMS) is a managed service that helps create and control the encryption keys used to encrypt account data, and uses Hardware Security Modules (HSMs) to protect the security of encryption keys. CloudTrail logs can be configured to leverage server-side encryption (SSE) and KMS customer created master keys (CMK) to further protect CloudTrail logs. It is recommended that CloudTrail be configured to use SSE-KMS.


Rationale: 

Configuring CloudTrail to use SSE-KMS provides additional confidentiality controls on log data, as a given user must have S3 read permission on the corresponding log bucket and must be granted decryption permission by the CMK policy.


Impact:

If you create a CMK in the CloudTrail console, CloudTrail adds the required CMK policy for you. You do not need to manually add the policy statements.

Customer-created keys incur an additional cost. See https://aws.amazon.com/kms/pricing/ for more information. 


Audit: 

Perform the following to determine if CloudTrail is configured to use SSE-KMS: Via the Management Console 

  1. Sign in to the AWS Management Console

  2. Open the CloudTrail console at https://console.aws.amazon.com/cloudtrail

  3. In the left navigation pane, choose Trails. 

  4. Select a Trail you want to examine

  5. In General, details check Logfile SSE-KMS encryption is enabled or disabled.

  6. If the encryption is not enabled follow the implementation steps to enable it.


Remediation:

Pre-Requisite: 

  1. Sign in as an admin or IAM user with the required permissions.

  2. Need AWS KMS key.


Implementation Steps:

  • Perform the following to configure CloudTrail to use SSE-KMS: Via the Management Console 

  1. Sign in to the AWS Management Console

  2. Open the CloudTrail console at https://console.aws.amazon.com/cloudtrail

  3. In the left navigation pane, choose Trails.

  4. Select the trail you want to modify and click on edit .

  5. Check the Enabled CheckBox under Log file SSE-KMS encryption, use existing key or you can create New Key

  6. Click on save changes.


Note: Ensure the CMK is located in the same region as the S3 bucket 

 

Backout Plan:

To disable the encryption follow the implementation steps and uncheck the Enabled checkbox under Log file SSE-KMS encryption. 

Reference: 

What Is AWS CloudTrail? - AWS CloudTrail 

Creating keys - AWS Key Management Service 


CIS Controls:

6 Maintenance, Monitoring and Analysis of Audit Logs 

Maintenance, Monitoring and Analysis of Audit Logs