Profile Applicability:
Level 1
Description:
AWS CloudWatch Log Groups can be configured to use AWS Key Management Service (KMS) to protect the logs stored within them. Using KMS ensures that log data is encrypted at rest, which adds an extra layer of security by preventing unauthorized access to sensitive log information.
Rationale:
Encrypting CloudWatch Logs with AWS KMS ensures that the log data is protected at rest. This encryption prevents unauthorized access, helps comply with regulatory requirements, and improves overall data security. By using KMS, you can centrally manage the encryption keys, monitor their usage, and have better control over who can access the log data.
Impact:
Positive Impact: Enhances the security of log data and provides encryption at rest, ensuring that sensitive information within logs is secure.
Negative Impact: None, except for the need to manage KMS keys and the potential overhead of key management and monitoring.
Default Value:
By default, CloudWatch Log Groups are not encrypted using KMS. AWS CloudWatch uses server-side encryption with S3-managed keys (SSE-S3) unless a custom KMS key is configured.
Pre-Requisite:
IAM Permissions: The user must have sufficient permissions to view and modify CloudWatch Log Group settings (logs:DescribeLogGroups, logs:PutRetentionPolicy, kms:Encrypt, etc.).
AWS Services: CloudWatch, KMS.
Tools Required: AWS Management Console, AWS CLI.
Remediation:
Using AWS Console:
Sign in to the AWS Management Console.
Navigate to CloudWatch → Logs → Log Groups.
In the Log Groups section, select the log group you want to check.
In the Log Group Details section, under Encryption, verify if KMS is listed as the encryption option.
If it shows AWS-managed keys (default) or no encryption, you need to enable KMS encryption.
To enable KMS encryption:
Click on the Actions button and select Edit.
Under Encryption, select Use KMS key and choose an existing KMS key or create a new one.
Click Save to apply the encryption settings.
Using AWS CLI:
Describe log groups to check if any log group is encrypted with KMS:
aws logs describe-log-groups --query 'logGroups[*].logGroupName'
Get the details for a specific log group to see if KMS encryption is enabled:
aws logs describe-log-groups --log-group-name <logGroupName> --query 'logGroups[*].kmsKeyId'
If the kmsKeyId is empty or shows that encryption is not configured, enable encryption by updating the log group:
aws logs associate-kms-key --log-group-name <logGroupName> --kms-key-id <KMSKeyID>
Implementation Steps:
Using AWS Console:
Log in to the AWS Management Console.
Navigate to CloudWatch → Logs → Log Groups.
Select a log group that you want to configure encryption for.
Click Actions and select Edit.
Under Encryption, choose Use KMS key and select a KMS key for encryption.
Click Save to enable encryption.
Using AWS CLI:
Run the following command to check the current encryption status of log groups:
aws logs describe-log-groups --query 'logGroups[*].kmsKeyId'
For log groups without encryption, run the following command to enable encryption:
aws logs associate-kms-key --log-group-name <logGroupName> --kms-key-id <KMSKeyID>
Backout Plan
Using AWS Management Console:
Sign in to the AWS Management Console.
Navigate to Amazon CloudWatch > Log Groups.
Select the log group for which KMS encryption was enabled.
Under the Settings or Encryption section, locate the KMS key associated with the log group.
Disassociate the KMS key by selecting the option to revert to the default encryption method (CloudWatch-managed encryption).
Save the changes to apply the updated configuration.
Using AWS CLI:
Retrieve the current configuration of the log group:
aws logs describe-log-groups --log-group-name-prefix <log-group-name>
Disassociate the KMS key from the log group:
aws logs disassociate-kms-key --log-group-name <log-group-name>
Verify the updated configuration:
aws logs describe-log-groups --log-group-name-prefix <log-group-name>