Profile Applicability
- Level 1
Description:
AWS CloudTrail captures and logs all API calls made in an AWS account, providing crucial audit trails and security monitoring. Encrypting CloudTrail logs at rest using AWS Key Management Service (KMS) Customer Managed Keys (CMKs) ensures that the logs are securely stored and protected from unauthorized access. By using KMS CMKs, organizations can control and manage the encryption of their CloudTrail logs and ensure compliance with regulatory requirements.
Enabling this feature ensures that all CloudTrail logs are automatically encrypted with the specified CMKs and that access to these logs is restricted to authorized users.
Rationale:
Encrypting CloudTrail logs with KMS CMKs provides:
Enhanced security: Protects sensitive CloudTrail logs from unauthorized access.
Compliance: Ensures that logs meet regulatory and security standards (e.g., HIPAA, SOC 2, PCI DSS) requiring encrypted log storage.
Auditability: Allows for control over key access policies, ensuring only authorized entities can decrypt and access logs.
Without encryption, CloudTrail logs could be vulnerable to unauthorized access, exposing critical operational and security-related information.
Impact:
Failure to encrypt CloudTrail logs with KMS CMKs can result in:
Unauthorized access to critical security audit logs.
Violations of compliance requirements related to the encryption of logs.
Increased risk of exposure or tampering with CloudTrail logs, which could hinder incident detection and response.
Encrypting logs ensures that sensitive data in the logs is protected, thereby improving the security posture of your AWS environment.
Default Value:
By default, CloudTrail logs are stored unencrypted in S3. You must explicitly configure CloudTrail to use KMS CMKs for log encryption.
Pre-Requisites:
AWS CLI installed and configured
IAM permissions:
cloudtrail:DescribeTrails
cloudtrail:UpdateTrail
kms:CreateKey
kms:PutKeyPolicy
KMS CMK must exist, or you need permissions to create one for CloudTrail log encryption
Remediation:
Test Plan:
Using AWS Console:
Go to the CloudTrail Console.
Verify that CloudTrail is configured to encrypt logs using a KMS CMK.
Go to the KMS Console and confirm that the specified CMK is available and properly configured.
Using AWS CLI:
aws cloudtrail describe-trails --query "TrailList[?KmsKeyId!=null].{TrailName:Name, KmsKeyId:KmsKeyId}" --output tableTo check if the specified KMS CMK is available:
aws kms describe-key --key-id <kms-key-id> --query "KeyMetadata.KeyId" --output table
Implementation Plan:
Using AWS Console:
Enable encryption for CloudTrail logs using KMS CMKs:
Go to the CloudTrail Console.
Select the trail for which you want to enable encryption.
In the KMS Key section, select the KMS CMK you want to use for log encryption. If no CMK exists, create a new one in the KMS Console.
Save the changes to apply encryption.
Verify encryption settings in KMS Console:
Go to the KMS Console.
Ensure that the KMS CMK is configured correctly, and check access policies to ensure that only authorized users and roles can decrypt the logs.
Using AWS CLI:
Enable encryption for CloudTrail logs using a KMS CMK:
aws cloudtrail update-trail --name <trail-name> --kms-key-id <kms-key-id>
Verify encryption settings:
aws cloudtrail describe-trails --query "TrailList[?KmsKeyId!=null].{TrailName:Name, KmsKeyId:KmsKeyId}" --output tableBackout Plan:
Using AWS Console:
If encryption causes performance issues or unnecessary overhead:
Go to the CloudTrail Console.
Select the trail and choose Edit.
Disable KMS encryption or switch to a different CMK if performance issues arise.
Modify KMS settings to reduce the scope of access control if access issues arise or modify key policies.
Using AWS CLI:
Temporarily disable encryption:
aws cloudtrail update-trail --name <trail-name> --kms-key-id ""
Stop CloudTrail logging if encryption causes issues:
aws cloudtrail stop-logging --name <trail-name>
Re-enable monitoring once issues are resolved:
aws cloudtrail start-logging --name <trail-name> aws cloudtrail update-trail --name <trail-name> --kms-key-id <kms-key-id>