Profile Applicability:

  • Level 1


Description
This control ensures that AWS CloudTrail logs are encrypted at rest using AWS Key Management Service (KMS) Customer Managed Keys (CMKs). By default, CloudTrail encrypts logs using Amazon S3 server-side encryption (SSE-S3). However, using KMS CMKs provides an additional layer of security, allowing for greater control over key rotation, access policies, and auditing of key usage.


Rationale:
Encrypting CloudTrail logs with KMS CMKs ensures that only authorized users and services can access sensitive audit data. It enhances security by enforcing stricter access controls, supporting compliance requirements (e.g., ISO 27001, SOC 2, HIPAA, GDPR), and allowing detailed auditing of encryption key usage. This prevents unauthorized access to critical log information stored in S3.


Impact:
Positive Impact: Provides stronger data protection, enables key rotation and granular access control, and improves compliance with data security standards.
Negative Impact: Slight increase in cost for KMS key management and potential latency in decryption during log access.


Default Value:
By default, CloudTrail encrypts log files using SSE-S3 managed by AWS. KMS CMK encryption must be explicitly enabled.


Pre-Requisite:

  • AWS CloudTrail must be enabled and configured to deliver logs to an S3 bucket.
  • A KMS CMK must exist in the same region where CloudTrail is configured.
  • IAM permissions required:
    • cloudtrail:UpdateTrail
    • kms:DescribeKey
    • kms:ListAliases
    • kms:Encrypt


Remediation

Test Plan

Using AWS Console:

  1. Sign in to the AWS Management Console.
  2. Navigate to CloudTrail → Trails.
  3. Select the existing trail.
  4. Under General details, check the Log file SSE-KMS encryption setting.
  5. Verify that KMS key ID or Alias is listed (e.g., alias/aws/cloudtrail or a custom CMK).
  6. If no KMS key is configured, the trail is not compliant.


Implementation Plan

Using AWS Console:

  1. Navigate to the AWS CloudTrail Console.
  2. Select Trails → choose the trail to modify.
  3. In the General details section, click Edit.
  4. Under Log file SSE-KMS encryption, select Enable.
  5. Choose KMS key:
    • Either select the default AWS managed key (aws/cloudtrail), or
    • Select a Customer Managed Key (CMK) from the dropdown.
  6. Click Save changes.
  7. Verify that encryption is enabled by checking that the KMS key ARN appears in the trail configuration.


Backout Plan

Using AWS Console:

  1. Go to AWS CloudTrail Console → Trails.
  2. Select the trail currently using KMS encryption.
  3. Click Edit.
  4. Under Log file SSE-KMS encryption, uncheck Enable.
  5. Click Save changes to revert to default SSE-S3 encryption.

References: