Profile Applicability:
Level 2
Description
AWS CloudTrail records AWS API calls and logs them to an S3 bucket. Encrypting CloudTrail logs with AWS Key Management Service (KMS) CMKs provides additional security and access control for sensitive log data. By enabling CloudTrail SSE-KMS encryption, you ensure that only authorized users can decrypt and access logs, reducing the risk of unauthorized access.
Rationale:
- Encrypting CloudTrail logs with SSE-KMS ensures confidentiality, integrity, and access control.
- Prevents unauthorized access to CloudTrail logs by enforcing IAM policies and KMS key policies.
- Protects against log tampering and data breaches.
- Helps meet compliance requirements for SOC 2, PCI-DSS, HIPAA, ISO 27001, and CIS benchmarks.
Without KMS encryption, CloudTrail logs are only protected by S3 bucket permissions, making them more vulnerable to unauthorized access.
Impact:
- Adds an extra layer of security by encrypting logs with CMKs.
- Enforces fine-grained access control via IAM & KMS policies.
- Helps with compliance audits and security best practices.
Default Value:
- CloudTrail logs are NOT encrypted with KMS by default.
- CloudTrail logs are encrypted using S3 server-side encryption (SSE-S3) by default, but not with customer-managed KMS CMKs.
Pre-Requisites:
IAM permissions required:
cloudtrail:UpdateTrail
kms:CreateKey
kms:PutKeyPolicy
kms:DescribeKey
kms:ListKeys
kms:GenerateDataKey
kms:Decrypt
AWS CLI installed for automation.
Remediation:
Test Plan:
Using AWS Console
Step 1: Check If CloudTrail Logs Are Encrypted with KMS
Log in to the AWS Management Console
Navigate to CloudTrail Console → AWS CloudTrail
Click Trails in the left navigation pane
Select a Trail
Click Edit under General details
Under S3 Section, ensure:
Log file SSE-KMS encryption is enabled
A KMS Key is selected
Repeat for all AWS Regions
Using AWS CLI
Step 1: List All CloudTrails and Check Encryption Status
aws cloudtrail describe-trails --query 'trailList[*].[Name, KmsKeyId]' [ ["MyTrail", "arn:aws:kms:us-east-1:123456789012:key/abcdef-1234-5678-9101"] ]
Implementation steps:
Using AWS Console
Step 1: Enable SSE-KMS Encryption on CloudTrail Logs
Log in to the AWS Management Console
Navigate to CloudTrail Console → AWS CloudTrail
Click Trails in the left navigation pane
Click on a Trail
Under S3 Section, click the Edit button
Click Advanced Settings
Select an existing KMS CMK from the KMS Key ID dropdown
Ensure the CMK is in the same AWS region as the S3 bucket
Click Save
Using AWS CLI
Step 1: Create a KMS Key for CloudTrail
aws kms create-key --description "CloudTrail Log Encryption Key"
Step 2: Assign a Key Policy to Allow CloudTrail to Use the KMS Key
Create a JSON file (cloudtrail-kms-policy.json):
{ "Id": "CloudTrailKMSPolicy", "Version": "2012-10-17", "Statement": [ { "Sid": "Allow CloudTrail access", "Effect": "Allow", "Principal": { "Service": "cloudtrail.amazonaws.com" }, "Action": "kms:GenerateDataKey*", "Resource": "*", "Condition": { "StringLike": { "kms:EncryptionContext:aws:cloudtrail:arn": [ "arn:aws:cloudtrail:*:123456789012:trail/*" ] } } } ] }
Step 3: Attach the Key Policy to the KMS Key
aws kms put-key-policy --key-id <KMS-Key-ID> --policy file://cloudtrail-kms-policy.json
Step 4: Enable KMS Encryption on CloudTrail
aws cloudtrail update-trail --name MyTrail --kms-key-id <KMS-Key-ID>
Backout Plan:
If enabling KMS encryption causes issues: Disable KMS Encryption via AWS CLI
aws cloudtrail update-trail --name MyTrail --no-kms-key-id
Remove KMS Key Policy via AWS CLI
aws kms delete-key --key-id <KMS-Key-ID>Ensure disabling encryption is justified before proceeding.