CloudTrail log files should be encrypted with customer managed KMS keys

Description

By default, the log files delivered by CloudTrail to your bucket are encrypted with Amazon S3-managed encryption keys (SSE-S3). To get control over key rotation and obtain auditing visibility into key usage, use SSE-KMS to encrypt your log files with customer managed KMS keys.

Remediation Steps

AWS Console

• Navigate to CloudTrail.

• In the left navigation, select Trails.

• Click on a Trail.

• Under General details, click Edit.

• In log file SSE-KMS encryption, select Enabled.

• In Customer managed AWS KMS key, either use a new or existing key.

• Enter the AWS KMS alias.

• Click Save changes.

AWS CLI

• Create a new KMS key to use for CloudTrail encryption. If you already have a key you wish to use, skip this step.

  • aws kms create-key

• Update the KMS key policy to provide the necessary permissions.

  • aws kms put-key-policy --key-id "<key-arn>" --policy-name default --policy '{"Version": "2012-10-17","Id": "key-default-1","Statement":[{"Sid": "Enable IAM User Permissions","Effect":"Allow","Principal": {"AWS":"arn:aws:iam::<aws-account-number>:root"},"Action":"kms:*","Resource":"*"},{"Sid":"Allow CloudTrail to encrypt logs","Effect":"Allow","Principal":{"Service":"cloudtrail.amazonaws.com"},"Action":"kms:GenerateDataKey*","Resource":"*","Condition":{"StringLike":{"kms:EncryptionContext:aws:cloudtrail:arn":["arn:aws:cloudtrail:*:<aws-account-number>:trail/*"]}}},{"Sid":"Enable CloudTrail log decrypt permissions","Effect":"Allow","Principal":{"AWS":"arn:aws:iam::<aws-account-number>:<role-or-user>/<role-name-or-user-name>"},"Action":"kms:Decrypt","Resource":"*","Condition":{"Null":{"kms:EncryptionContext:aws:cloudtrail:arn":"false"}}},{"Sid":"Allow CloudTrail access","Effect":"Allow","Principal":{"Service":"cloudtrail.amazonaws.com"},"Action":"kms:DescribeKey","Resource":"*"}]}'

• Update the trail configuration with the KMS key ID.

  • aws cloudtrail update-trail --name france --kms-key-id "<key-arn>" --s3-bucket-name <bucket-name>

CloudFormation

JSON

• Ensure that AWS::CloudTrail::Trail contains the following:

{
    "Properties": {
        "CloudWatchLogsLogGroupArn": "arn:aws:log:us-east-2:000000000000:log-group:megabank-prod",
        "IsLogging": true,
        "KMSKeyId": "alias/MyAliasName",
        "S3BucketName": "yourbucketname"
    }
}

JSON Example Configuration

{
  "Type" : "AWS::CloudTrail::Trail",
  "Properties" : {
    "IsLogging" : true,
    "KMSKeyId" : "alias/MyAliasName",
    "S3BucketName" : "yourbucketname"
    }
    # other required fields here
}

YAML

• Ensure that AWS::CloudTrail::Trail contains the following:

Properties:
  IsLogging: true
  KMSKeyId: alias/MyAliasName
  S3BucketName: yourbucketname

YAML Example Configuration

Type: AWS::CloudTrail::Trail
Properties:
  IsLogging: true
  KMSKeyId: alias/MyAliasName
  S3BucketName: yourbucketname
  # other required fields here

Terraform

• Ensure that the aws_cloudtrail kms_key_id field includes the KMS key ARN to use to encrypt the logs delivered by CloudTrail.

Example Configuration

resource "aws_cloudtrail" "example" {
  kms_key_id = "arn:aws:kms:example-key-id"
  # other required fields here
}

Documentation Links

Runtime

• Console: Encrypting CloudTrail Log Files with AWS KMS

• Console: Create KMS Keys

• CLI: Create KMS Key

• CLI: Update CloudTrail Trail

CloudFormation

• AWS::CloudTrail::Trail

Terraform

• Resource: aws_cloudtrail

  • Field: kms_key_id