CloudTrail Logs Encrypted

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features

Knowledge Base Amazon Web Services AWS CloudTrail CloudTrail Logs Encrypted

Last updated: 10 November 2017

Risk level: Medium (should be achieved)

Rule ID: CT-008

Ensure that your CloudTrail logs are encrypted at rest using server-side encryption provided by AWS KMS–Managed Keys (SSE-KMS) to enhance the security of your CloudTrail bucket and allow you to have better control over who can read the log files in your organization.

This rule can help you with the following compliance standards:

This rule can help you work with the AWS Well-Architected Framework

This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS

Security

Enabling CloudTrail log files encryption using SSE-KMS will facilitate a strong security layer that is directly manageable by you using your KMS Customer Master Keys (CMK) rather than allowing S3 to manage it by default using S3-managed encryption keys (SSE-S3).

Note: The CMK used must be in the same region as the S3 bucket that receives your CloudTrail log files.

Audit

To determine if your CloudTrail trails have the SSE-KMS encryption feature enabled, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to CloudTrail dashboard at https://console.aws.amazon.com/cloudtrail/.

03 In the left navigation panel, select Trails.

04 Under Name column, select the trail name that you need to examine.

05 Under S3 section, check for Encrypt log files status:

If the feature status is set to No, the selected trail does not support SSE-KMS encryption for its log files.

Using AWS CLI

01 Run describe-trails command (OSX/Linux/UNIX) to list all trails available in the selected AWS region:

aws cloudtrail describe-trails

02 The command output should expose the configuration details for each CloudTrail trail available. If KmsKeyId config parameter key is absent from the output, the selected trail is not using SSE-KMS encryption to encrypt its log files:

{
    "trailList": [
        {
            "IncludeGlobalServiceEvents": true,
            "Name": "MyGlobalTrail",
            "TrailARN": "arn:aws:cloudtrail:us-east-1:
                         123456789012:trail/MyGlobalTrail",
            "LogFileValidationEnabled": false,
            "IsMultiRegionTrail": false,
            "S3BucketName": "cloudtrail-global-logging",
            "HomeRegion": "us-east-1"
        }
    ]
}

Remediation / Resolution

To enable SSE-KMS encryption for your CloudTrail log files, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to CloudTrail dashboard at https://console.aws.amazon.com/cloudtrail/.

03 In the left navigation panel, select Trails.

04 Under Name column, select the trail name that you need to update.

05 Click the pencil icon:

next to S3 section to edit the trail bucket configuration.

06 Under S3 bucket* click Advanced.

07 Select Yes next to Encrypt log files to encrypt your log files with SSE-KMS using a Customer Master Key (CMK).

08 Select Yes next to Create a new KMS key to create a new CMK and enter a name for it:

Otherwise select No to use an existing CMK encryption key available in the region:

09 Click Save to enable SSE-KMS encryption.

Using AWS CLI

Case A: enable SSE-KMS encryption using a new KMS Customer Master Key:

01Create a policy that enables CloudTrail to encrypt and IAM users to decrypt the log files for the selected trail. Create a new policy document called cloudtrail-bucket-policy.json and paste the following (replace the highlighted details with your details):

{
  "Version": "2012-10-17",
  "Id": "Key policy created by CloudTrail",
  "Statement": [
    {
      "Sid": "Enable IAM User Permissions",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::aws_account_id:user/iam_user_name"
      },
      "Action": "kms:*",
      "Resource": "*"
    },
    {
      "Sid": "Allow CloudTrail to encrypt logs",
      "Effect": "Allow",
      "Principal": {
        "Service": "cloudtrail.amazonaws.com"
      },
      "Action": "kms:GenerateDataKey*",
      "Resource": "*",
      "Condition": {
        "StringLike": {
          "kms:EncryptionContext:aws:cloudtrail:arn":
          "arn:aws:cloudtrail:*:aws_account_id:trail/*"
        }
      }
    },
    {
      "Sid": "Allow CloudTrail to describe key",
      "Effect": "Allow",
      "Principal": {
        "Service": "cloudtrail.amazonaws.com"
      },
      "Action": "kms:DescribeKey",
      "Resource": "*"
    },
    {
      "Sid": "Allow principals in the account to decrypt log files",
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": [
        "kms:Decrypt",
        "kms:ReEncryptFrom"
      ],
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "kms:CallerAccount": "aws_account_id"
        },
        "StringLike": {
          "kms:EncryptionContext:aws:cloudtrail:arn":
          "arn:aws:cloudtrail:*:aws_account_id:trail/*"
        }
      }
    },
    {
      "Sid": "Allow alias creation during setup",
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": "kms:CreateAlias",
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "kms:CallerAccount": "aws_account_id",
          "kms:ViaService": "ec2.aws_region_name.amazonaws.com"
        }
      }
    },
    {
      "Sid": "Enable cross account log decryption",
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": [
        "kms:Decrypt",
        "kms:ReEncryptFrom"
      ],
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "kms:CallerAccount": "aws_account_id"
        },
        "StringLike": {
          "kms:EncryptionContext:aws:cloudtrail:arn":
          "arn:aws:cloudtrail:*:aws_account_id:trail/*"
        }
      }
    }
  ]
}

02 Run create-key command (OSX/Linux/UNIX) using the policy created earlier to create the new CMK encryption key:

aws kms create-key
    --policy file://cloudtrail-bucket-policy.json

03 The command output should return the new CMK configuration details:

{
    "KeyMetadata": {
        "KeyId": "265bb9c7-ccfc-4cf1-9686-54866f31d647",
        "Enabled": true,
        "KeyUsage": "ENCRYPT_DECRYPT",
        "KeyState": "Enabled",
        "CreationDate": 1460563726.544,
        "Arn": "arn:aws:kms:us-east-1:123456789012:
                key/265bb9c7-ccfc-4cf1-9686-54866f31d647",
        "AWSAccountId": "123456789012"
    }
}

04 Run create-alias command (OSX/Linux/UNIX) using your new Customer Master Key ID to attach a display name to the key:

aws kms create-alias
    --alias-name alias/MyCloudTrailCMK
    --target-key-id 265bb9c7-ccfc-4cf1-9686-54866f31d647

05 Run update-trail command (OSX/Linux/UNIX) using the trail name that you need to update and the new CMK key ID in order to enable SSE-KMS encryption for the trail log files:

aws cloudtrail update-trail
    --name MyGlobalTrail
    --kms-key-id 265bb9c7-ccfc-4cf1-9686-54866f31d647

06 The command output should return a valid ARN as KmsKeyId parameter value, which means that the SSE-KMS encryption is currently enabled for the selected CloudTrail trail:

{
    "IncludeGlobalServiceEvents": true,
    "Name": "MyGlobalTrail",
    "TrailARN": "arn:aws:cloudtrail:us-east-1:
                 123456789012:trail/MyGlobalTrail",
    "LogFileValidationEnabled": false,
    "KmsKeyId": "arn:aws:kms:us-east-1:
                 123456789012:key/265bb9c7-ccfc-4cf1-9686-54866f31d647",
    "S3BucketName": "cloudtrail-global-logging",
}

Case B: enable SSE-KMS encryption using an existing KMS Customer Master Key:

01Run list-aliases command (OSX/Linux/UNIX) to list all KMS customer master keys available in the selected AWS region. The existing key must be in the same region with the S3 bucket that receives the log files:

aws kms list-aliases
  --region us-east-1

02The command output should return all available customer master keys and their configuration details (alias name, alias ARN, target key ID):

{
    "Aliases": [
        {
            "AliasArn": "arn:aws:kms:us-east-1:123456789012:
                         alias/MyCloudTrailCMK",
            "AliasName": "alias/MyCloudTrailCMK",
            "TargetKeyId": "0a865351-7c39-4ef1-a4a3-03280af8ee05"
        },
        {
            "AliasArn": "arn:aws:kms:us-east-1:123456789012:
                         alias/MyEBSMasterKey",
            "AliasName": "alias/MyEBSMasterKey",
            "TargetKeyId": "2c165454-f692-4585-b814-81a255142894"
        }
    ]
}

03Run update-trail command (OSX/Linux/UNIX) using the selected trail name and the Customer Master Key alias name to update the trail configuration and enable SSE-KMS encryption:

aws cloudtrail update-trail
    --name MyGlobalTrail
    --kms-key-id alias/MyCloudTrailCMK

04The command output should return the new configuration details for the selected trail. Since the SSE-KMS encryption for the selected trail is now enabled, the KmsKeyId parameter value should match your existing Customer Master Key ARN:

{
    "IncludeGlobalServiceEvents": true,
    "Name": "MyGlobalTrail",
    "TrailARN": "arn:aws:cloudtrail:us-east-1:
                 123456789012:trail/MyGlobalTrail",
    "LogFileValidationEnabled": false,
    "KmsKeyId": "arn:aws:kms:us-east-1:
                 123456789012:key/4df6fa10-a6af-4732-a876-c15723a123f9",
    "IsMultiRegionTrail": true,
    "S3BucketName": "cloudtrail-global-logging",
}

References

AWS Command Line Interface (CLI) Documentation
describe-trails
update-trail
create-key
create-alias
list-aliases

Publication date Apr 14, 2016

CloudTrail Logs Encrypted

Audit

Using AWS Console

Using AWS CLI

Remediation / Resolution

Using AWS Console

Using AWS CLI

References

Related CloudTrail rules