CloudTrail log files should be encrypted with customer managed KMS keys¶
Description¶
By default, the log files delivered by CloudTrail to your bucket are encrypted with Amazon S3-managed encryption keys (SSE-S3). To get control over key rotation and obtain auditing visibility into key usage, use SSE-KMS to encrypt your log files with customer managed KMS keys.
Remediation Steps¶
AWS Console¶
Navigate to CloudTrail.
In the left navigation, select Trails.
Click on a Trail.
Under General details, click Edit.
In log file SSE-KMS encryption, select Enabled.
In Customer managed AWS KMS key, either use a new or existing key.
Enter the AWS KMS alias.
Click Save changes.
AWS CLI¶
Create a new KMS key to use for CloudTrail encryption. If you already have a key you wish to use, skip this step.
aws kms create-key
Update the KMS key policy to provide the necessary permissions.
aws kms put-key-policy --key-id "<key-arn>" --policy-name default --policy '{"Version": "2012-10-17","Id": "key-default-1","Statement":[{"Sid": "Enable IAM User Permissions","Effect":"Allow","Principal": {"AWS":"arn:aws:iam::<aws-account-number>:root"},"Action":"kms:*","Resource":"*"},{"Sid":"Allow CloudTrail to encrypt logs","Effect":"Allow","Principal":{"Service":"cloudtrail.amazonaws.com"},"Action":"kms:GenerateDataKey*","Resource":"*","Condition":{"StringLike":{"kms:EncryptionContext:aws:cloudtrail:arn":["arn:aws:cloudtrail:*:<aws-account-number>:trail/*"]}}},{"Sid":"Enable CloudTrail log decrypt permissions","Effect":"Allow","Principal":{"AWS":"arn:aws:iam::<aws-account-number>:<role-or-user>/<role-name-or-user-name>"},"Action":"kms:Decrypt","Resource":"*","Condition":{"Null":{"kms:EncryptionContext:aws:cloudtrail:arn":"false"}}},{"Sid":"Allow CloudTrail access","Effect":"Allow","Principal":{"Service":"cloudtrail.amazonaws.com"},"Action":"kms:DescribeKey","Resource":"*"}]}'
Update the trail configuration with the KMS key ID.
aws cloudtrail update-trail --name france --kms-key-id "<key-arn>" --s3-bucket-name <bucket-name>
CloudFormation¶
JSON¶
Ensure that AWS::CloudTrail::Trail contains the following:
{
"Properties": {
"CloudWatchLogsLogGroupArn": "arn:aws:log:us-east-2:000000000000:log-group:megabank-prod",
"IsLogging": true,
"KMSKeyId": "alias/MyAliasName",
"S3BucketName": "yourbucketname"
}
}
JSON Example Configuration¶
{
"Type" : "AWS::CloudTrail::Trail",
"Properties" : {
"IsLogging" : true,
"KMSKeyId" : "alias/MyAliasName",
"S3BucketName" : "yourbucketname"
}
# other required fields here
}
YAML¶
Ensure that AWS::CloudTrail::Trail contains the following:
Properties:
IsLogging: true
KMSKeyId: alias/MyAliasName
S3BucketName: yourbucketname
YAML Example Configuration¶
Type: AWS::CloudTrail::Trail
Properties:
IsLogging: true
KMSKeyId: alias/MyAliasName
S3BucketName: yourbucketname
# other required fields here
Terraform¶
Ensure that the aws_cloudtrail
kms_key_id
field includes the KMS key ARN to use to encrypt the logs delivered by CloudTrail.
Example Configuration¶
resource "aws_cloudtrail" "example" {
kms_key_id = "arn:aws:kms:example-key-id"
# other required fields here
}