Description:
CloudWatch log groups can be encrypted at rest using AWS KMS. This helps to protect the confidentiality of log data by making it more difficult for unauthorized users to access.

Rationale:
Log data can contain sensitive information, such as passwords, API keys, and customer data. By encrypting log data, we can help to protect this information from unauthorized access.

Impact:
If CloudWatch log groups are not encrypted, then unauthorized users could potentially access sensitive information. This could lead to data breaches, financial losses, and reputational damage.

Default Value:
By default, CloudWatch log groups are not encrypted. However, AWS recommends that you encrypt your log groups to help protect their confidentiality.

Pre-requisites:

  • You must have access to the AWS KMS console.
  • You must have a KMS key that you want to use to encrypt your log groups.


Remediation Steps:

  1. In the AWS KMS console, select the KMS key that you want to use to encrypt your log groups.
  2. Click the "Actions" menu and select "Encrypt".
  3. In the "Encrypt" dialog box, select the log groups that you want to encrypt.
  4. Click the "Encrypt" button.


Test Plan:

  1. Verify that the log groups are encrypted by checking the "Log group encryption" setting in the AWS KMS console.
  2. Try to access the log data from an unauthorized account. You should not be able to access the data.

Implementation Plan:

AWS CLI Process:

aws kms encrypt --key-id <key-id> --plaintext-blob <plaintext-blob>


Using AWS GUI:

  1. In the AWS KMS console, select the KMS key that you want to use to encrypt your log groups.
  2. Click the "Actions" menu and select "Encrypt".
  3. In the "Encrypt" dialog box, select the log groups that you want to encrypt.
  4. Click the "Encrypt" button.


Backout Plan:

  1. In the AWS KMS console, select the KMS key that you used to encrypt your log groups.
  2. Click the "Actions" menu and select "Decrypt".
  3. In the "Decrypt" dialog box, select the log groups that you want to decrypt.
  4. Click the "Decrypt" button.

Note:

  • You can also encrypt your log groups using the CloudWatch console.
  • For more information, see the AWS KMS documentation: https://docs.aws.amazon.com/kms/latest/developerguide/.

Reference:
https://docs.aws.amazon.com/kms/latest/developerguide/