Skip to main content

πŸ“ AWS CloudTrail is not encrypted with KMS CMK 🟒

  • Contextual name: πŸ“ CloudTrail is not encrypted with KMS CMK 🟒
  • ID: /ce/ca/aws/cloudtrail/encryption-with-kms-cmk
  • Located in: πŸ“ AWS CloudTrail

Flags​

Our Metadata​

  • Policy Type: COMPLIANCE_POLICY
  • Policy Category:
    • SECURITY

Similar Policies​

Similar Internal Rules​

RulePoliciesFlags
βœ‰οΈ dec-x-d896d1721

Logic​

Description​

Open File

Description​

AWS CloudTrail is a web service that records AWS API calls for an account and makes those logs available to users and resources in accordance with IAM policies. AWS Key Management Service (KMS) is a managed service that helps create and control the encryption keys used to encrypt account data, and uses Hardware Security Modules (HSMs) to protect the security of encryption keys. CloudTrail logs can be configured to leverage server side encryption (SSE) and KMS customer created master keys (CMK) to further protect CloudTrail logs. It is recommended that CloudTrail be configured to use SSE-KMS.

Rationale​

Configuring CloudTrail to use SSE-KMS provides additional confidentiality controls on log data as a given user must have S3 read permission on the corresponding log bucket and must be granted decrypt permission by the CMK policy.

Impact​

Customer created keys incur an additional cost. See https://aws.amazon.com/kms/pricing/ for more information.

Audit​

Perform the following to determine if CloudTrail is configured to use SSE-KMS:

... see more

Remediation​

Open File

Remediation​

Perform the following to configure CloudTrail to use SSE-KMS:

From Console​

  1. Sign in to the AWS Management Console and open the CloudTrail console at https://console.aws.amazon.com/cloudtrail.

  2. In the left navigation pane, choose Trails.

  3. Click on a Trail.

  4. Under the S3 section click on the edit button (pencil icon).

  5. Click Advanced.

  6. Select an existing CMK from the KMS key Id drop-down menu.

  • Note: Ensure the CMK is located in the same region as the S3 bucket.

  • Note: You will need to apply a KMS Key policy on the selected CMK in order for CloudTrail as a service to encrypt and decrypt log files using the CMK provided. Steps are provided here for editing the selected CMK Key policy.

  1. Click Save.
  2. You will see a notification message stating that you need to have decrypt permissions on the specified KMS key to decrypt log files.
  3. Click Yes.

From Command Line​

Run the following command to specify a KMS key ID to use with a trail:

... see more

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [CloudTrail.2] CloudTrail should have encryption at-rest enabled1
πŸ’Ό CIS AWS v1.2.0 β†’ πŸ’Ό 2.7 Ensure CloudTrail logs are encrypted at rest using KMS CMKs1
πŸ’Ό CIS AWS v1.3.0 β†’ πŸ’Ό 3.7 Ensure CloudTrail logs are encrypted at rest using KMS CMKs1
πŸ’Ό CIS AWS v1.4.0 β†’ πŸ’Ό 3.7 Ensure CloudTrail logs are encrypted at rest using KMS CMKs1
πŸ’Ό CIS AWS v1.5.0 β†’ πŸ’Ό 3.7 Ensure CloudTrail logs are encrypted at rest using KMS CMKs - Level 2 (Automated)1
πŸ’Ό CIS AWS v2.0.0 β†’ πŸ’Ό 3.7 Ensure CloudTrail logs are encrypted at rest using KMS CMKs - Level 2 (Automated)1
πŸ’Ό CIS AWS v3.0.0 β†’ πŸ’Ό 3.5 Ensure CloudTrail logs are encrypted at rest using KMS CMKs - Level 2 (Automated)1
πŸ’Ό CIS AWS v4.0.0 β†’ πŸ’Ό 3.5 Ensure CloudTrail logs are encrypted at rest using KMS CMKs (Automated)1
πŸ’Ό CIS AWS v4.0.1 β†’ πŸ’Ό 3.5 Ensure CloudTrail logs are encrypted at rest using KMS CMKs (Automated)1
πŸ’Ό CIS AWS v5.0.0 β†’ πŸ’Ό 3.5 Ensure CloudTrail logs are encrypted at rest using KMS CMKs (Automated)1
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Data Encryption31
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AU-9 Protection of Audit Information (L)(M)(H)3911
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό CM-3(6) Cryptography Management (H)4
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-7(10) Prevent Exfiltration (H)4
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-13 Cryptographic Protection (L)(M)(H)1316
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-28 Protection of Information at Rest (L)(M)(H)1717
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-28(1) Cryptographic Protection (L)(M)(H)512
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό AU-9 Protection of Audit Information (L)(M)(H)11
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό SC-13 Cryptographic Protection (L)(M)(H)16
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό SC-28 Protection of Information at Rest (L)(M)(H)117
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό SC-28(1) Cryptographic Protection (L)(M)(H)12
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AU-9 Protection of Audit Information (L)(M)(H)111
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SC-13 Cryptographic Protection (L)(M)(H)16
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SC-28 Protection of Information at Rest (L)(M)(H)117
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SC-28(1) Cryptographic Protection (L)(M)(H)12
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected82
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected69
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected67
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AU-9 Protection of Audit Information724
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό CA-9(1) Internal System Connections _ Compliance Checks15
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό CM-3(6) Configuration Change Control _ Cryptography Management4
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-7(10) Boundary Protection _ Prevent Exfiltration4
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-13 Cryptographic Protection46
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-28 Protection of Information at Rest31518
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-28(1) Protection of Information at Rest _ Cryptographic Protection1012
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SI-7(6) Software, Firmware, and Information Integrity _ Cryptographic Protection6
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 10.5.2 Protect audit trail files from unauthorized modifications.24
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 10.3.2 Audit log files are protected to prevent modifications by individuals.4
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 10.3.2 Audit log files are protected to prevent modifications by individuals.4