Description:

AWS Cloud Watch Logs is a web service that stores logs from various AWS services, including Lambda function runs and ECS tasks. A log group is a group of log streams that share the same retention, monitoring, and access control settings. AWS Key Management Service (KMS) is a managed service that helps create and control the encryption keys used to encrypt account data. 


Rationale:

Encryption context is a set of key-value pairs that are used as additional authenticated data. The encryption context enables you to use IAM policy conditions to limit access to your AWS KMS key by AWS account and log group.


Impact:

Encrypting the Cloud Watch log groups provides additional confidentiality controls on log data. A given user must have S3 read permission on the corresponding log bucket and must be granted decrypt permission by the CMK policy.


Default Value:

CloudWatch log groups are encrypted by default. But Encryption using KMS is optional and is therefore DISABLED at the time of log group creation.


Pre-Requisite:

  1. The KMS key you associate with a log group must have permissions to be used by the AWS CloudWatch service and the user performing the actions on CLI.

  2. KMS key used for encrypting the CloudWatch log groups must be Enabled.



Remediation:


Test plan:

  • via Management Console

  1. Sign in to AWS Management Console at https://console.aws.amazon.com/console

  2. Navigate to CloudWatch service.

  3. Get into Log groups under Logs in the left pane

  4. Choose the desired Log group from the list and click on its name link

  5. Check the KMS Key ID under Log group details.

  6. If the KMS Key ID is empty or blank, it means that the log group isn’t encrypted using KMS.
  7. If it has some value, it is Encrypted using KMS.


  • Using AWS  CLI

Use describe-log-groups to find whether a log group already has a KMS key associated.

aws logs describe-log-groups --log-group-name-prefix <value>

If the output includes a kmsKeyId field, the log group is associated with the key displayed for the value of that field and is therefore Encrypted.


 Implementation Steps:

  • via Management Console

  1. CloudWatch log groups can be encrypted using KMS keys via the console only at the time of the creation of a log group on CloudWatch. 

  2. There is no possible way to encrypt a CloudWatch log group using KMS key from the console once the Log group is already created

  3. However, we can encrypt via CLI.


  • Using AWS CLI

To enable encryption on a CloudWatch log group, associate a KMS key arn with the log group using associate-kms-key command.

aws logs associate-kms-key --log-group-name <value> --kms-key-id <key-arn>


Backout Plan:

  • via Management Console

We can revoke changes only using CLI but not the management console.

  • Using AWS CLI

To disable encryption on the CloudWatch log group, disassociate the key associated with a log group, using the disassociate-kms-key command.

aws logs disassociate-kms-key --log-group-name <value>


Note:

KMS key used for encryption could be a AWS managed key or a Customer-managed key.

However, it is recommended to use a new Customer-managed key with the right permissions since the user has more control over the key.


References: 

Encrypt log data in CloudWatch Logs using AWS Key Management Service - Amazon CloudWatch Logs 

describe-log-groups — AWS CLI 1.20.55 Command Reference