AWS CloudTrail logs are not encrypted using CMKs
Description
AWS CloudTrail is a web service that records AWS API calls for an account, and makes those logs available to users and resources in accordance with IAM policies. AWS Key Management Service (KMS) is a managed service that helps create and control the encryption keys used to encrypt account data. It uses Hardware Security Modules (HSMs) to protect the security of encryption keys. CloudTrail logs can be configured to leverage server-side encryption (SSE) and KMS customer created master keys (CMK) to further protect CloudTrail logs.
We recommend that CloudTrail logs are configured to use SSE-KMS, providing additional confidentiality controls on log data. A given user must have S3 read permission on the corresponding log bucket and must be granted decrypt permission by the CMK policy.
Fix - Runtime
AWS Console
To configure CloudTrail to use SSE-KMS using the Management Console, follow these steps:
- Log in to the AWS Management Console at [https://console.aws.amazon.com/].
- Open the Amazon CloudTrail console.
- In the left navigation pane, click Trails.
- Select a Trail.
- Navigate to the S3 section, click the edit button (pencil icon).
- Click Advanced.
- From the KMS key Id drop-down menu, select an existing CMK.
📘 Note
Ensure the CMK is located in the same region as the S3 bucket.
- For CloudTrail as a service to encrypt and decrypt log files using the CMK provided, apply a KMS Key policy on the selected CMK.
- Click Save.
- You will see a notification message stating that you need to have decrypt permissions on the specified KMS key to decrypt log files. Click Yes.
CLI Command
To update the CloudTrail, use the following command:
aws cloudtrail update-trail
--name <trail_name>
--kms-id <cloudtrail_kms_key> aws kms put-key-policy
--key-id <cloudtrail_kms_key>
--policy <cloudtrail_kms_key_policy>
Fix - Buildtime
CloudFormation
- **Resource: ** AWS::CloudTrail::Trail
- Argument: Properties.KMSKeyId
Resources:
myTrail:
Type: AWS::CloudTrail::Trail
Properties:
...
+ KMSKeyId: alias/MyAliasName