Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

CloudTrail Logs Encrypted

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: CT-008

Ensure that your Amazon CloudTrail logs are encrypted at rest using Server-Side Encryption provided by Key Management Service (KMS) to enhance the security of your CloudTrail bucket and allow you to have better control over who can read the CloudTrail log files within your organization.

This rule can help you with the following compliance standards:

  • CISAWSF
  • PCI
  • HIPAA
  • GDPR
  • APRA
  • MAS
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

Enabling Amazon CloudTrail log file encryption using SSE-KMS will facilitate a strong security layer that is directly manageable by you using your own Customer Master Keys (CMKs) rather than allowing Amazon S3 to manage it by default using S3-Managed Encryption Keys (SSE-S3).

Audit

To determine if your Amazon CloudTrail trails are configured to encrypt log files using SSE-KMS, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon CloudTrail console at https://console.aws.amazon.com/cloudtrail/.

03 In the navigation panel, under CloudTrail, choose Trails.

04 Click on the name (link) of the Amazon CloudTrail trail that you want to examine.

05 In the General details section, check the Log file SSE-KMS encryption attribute value. If the Log file SSE-KMS encryption value is set to Not enabled, the selected Amazon CloudTrail trail is not configured to encrypt log files using SSE-KMS encryption.

06 Repeat steps no. 4 and 5 for each Amazon CloudTrail trail created for your AWS cloud account.

Using AWS CLI

01 Run list-trails command (OSX/Linux/UNIX) with custom query filters to list the names of all the Amazon CloudTrail trails created for your AWS cloud account: 

aws cloudtrail list-trails
  --region us-east-1
  --query 'Trails[*].Name'

02 The command output should return an array with the requested CloudTrail trail names: 

[
    "cc-project5-api-trail",
    "cc-data-events-trail"
]

03 Run describe-trails command (OSX/Linux/UNIX) using the name of the Amazon CloudTrail trail that you want to examine as the identifier parameter and custom query filters to describe the Amazon Resource Name (ARN) of the KMS key configured to encrypt the log files delivered by the selected trail: 

aws cloudtrail describe-trails
  --region us-east-1
  --trail-name-list cc-project5-api-trail
  --query 'trailList[*].KmsKeyId'

04 The command output should return the requested KMS key ARN: 

[]

If the describe-trails command output returns and empty array (i.e. []), as shown in the example above, the selected Amazon CloudTrail trail is not configured to encrypt log files using SSE-KMS encryption.

05 Repeat steps no. 3 and 4 for each Amazon CloudTrail trail available within your AWS cloud account.

Remediation / Resolution

To enable SSE-KMS encryption for your existing Amazon CloudTrail trails, perform the following actions:

Using AWS CloudFormation

01 CloudFormation template (JSON): 

{
    "AWSTemplateFormatVersion": "2010-09-09",
    "Description": "Enable SSE-KMS Encryption with Customer Master Key (CMK)",
    "Parameters": {
        "TrailName": {
            "Type": "String"
        },
        "BucketName": {
            "Type": "String"
        },
        "S3BucketKeyPrefix": {
            "Type": "String"
        }
    },
    "Resources": {
        "Trail": {
            "Type": "AWS::CloudTrail::Trail",
            "Properties": {
                "TrailName": {
                    "Ref": "TrailName"
                },
                "S3BucketName": {
                    "Ref": "BucketName"
                },
                "S3KeyPrefix": {
                    "Ref": "S3BucketKeyPrefix"
                },
                "IsLogging": true,
                "KMSKeyId": "arn:aws:kms:us-east-1:123456789012:key/abcd1234-abcd-1234-abcd-1234abcd1234"
            }
        }
    }
}

02 CloudFormation template (YAML): 

AWSTemplateFormatVersion: '2010-09-09'
Description: Enable SSE-KMS Encryption with Customer Master Key (CMK)
Parameters:
  TrailName:
    Type: String
  BucketName:
    Type: String
  S3BucketKeyPrefix:
    Type: String
Resources:
  Trail:
    Type: AWS::CloudTrail::Trail
    Properties:
      TrailName: !Ref 'TrailName'
      S3BucketName: !Ref 'BucketName'
      S3KeyPrefix: !Ref 'S3BucketKeyPrefix'
      IsLogging: true
      KMSKeyId: arn:aws:kms:us-east-1:123456789012:key/abcd1234-abcd-1234-abcd-1234abcd1234

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf): 

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 3.27"
    }
  }

  required_version = ">= 0.14.9"
}

provider "aws" {
  profile = "default"
  region  = "us-east-1"
}

data "aws_caller_identity" "current-account" {}

resource "aws_s3_bucket" "trail-s3-bucket" {

  bucket        = "cc-main-cloudtrail-bucket"
  force_destroy = true
  policy = <<POLICY
  {
      "Version": "2012-10-17",
      "Statement": [
          {
              "Sid": "AWSCloudTrailAclCheck",
              "Effect": "Allow",
              "Principal": {
                "Service": "cloudtrail.amazonaws.com"
              },
              "Action": "s3:GetBucketAcl",
              "Resource": "arn:aws:s3:::cc-main-cloudtrail-bucket"
          },
          {
              "Sid": "AWSCloudTrailWrite",
              "Effect": "Allow",
              "Principal": {
                "Service": "cloudtrail.amazonaws.com"
              },
              "Action": "s3:PutObject",
              "Resource": "arn:aws:s3:::cc-main-cloudtrail-bucket/cc-trail-logs/AWSLogs/${data.aws_caller_identity.current-account.account_id}/*",
              "Condition": {
                  "StringEquals": {
                      "s3:x-amz-acl": "bucket-owner-full-control"
                  }
              }
          }
      ]
  }
  POLICY

}

resource "aws_cloudtrail" "cloudtrail-trail" {

  name                          = "cc-main-cloud-trail"
  s3_bucket_name                = aws_s3_bucket.trail-s3-bucket.id
  s3_key_prefix                 = "cc-trail-logs"
  enable_logging                = true

  # Enable SSE-KMS Encryption with Customer Master Key (CMK)
  kms_key_id = "arn:aws:kms:us-east-1:123456789012:key/abcd1234-abcd-1234-abcd-1234abcd1234"

}

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon CloudTrail console at https://console.aws.amazon.com/cloudtrail/.

03 In the navigation panel, under CloudTrail, choose Trails.

04 Click on the name (link) of the Amazon CloudTrail trail that you want to reconfigure.

05 In the General details section choose Edit to change the configuration settings available for the selected trail.

06 On the Edit trail configuration page, in the General details section, perform the following operations:

  1. Select Enabled under Log file SSE-KMS encryption to enable SSE-KMS encryption for the selected trail.
  2. For Customer managed AWS KMS key, choose New to create a new Amazon KMS Customer Master Key for log files encryption, and provide a unique name (alias) for the new key in the AWS KMS alias box. To use an existing Customer Master Key (CMK), choose Existing, and select the name/alias of the desired CMK from the AWS KMS alias box. The existing CMK must be in the same AWS region as the S3 bucket that receives your CloudTrail log files.
  3. Choose Save changes to apply the changes.

07 Repeat steps no. 4 – 6 for each Amazon CloudTrail trail that you want to reconfigure, available within your AWS cloud account.

Using AWS CLI

01 Define the key policy that enables Amazon CloudTrail to encrypt log files using the KMS API. Create a new policy document (JSON format), name the file sse-kms-cmk-policy.json, and paste the following content (replace the highlighted details with your own AWS account details): 

{
    "Version": "2012-10-17",
    "Id": "sse-kms-key-policy",
    "Statement": [
        {
            "Sid": "Enable IAM User Permissions",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::<aws-account-id>:root"
            },
            "Action": "kms:*",
            "Resource": "*"
        },
        {
            "Sid": "Allow CloudTrail to encrypt logs",
            "Effect": "Allow",
            "Principal": {
                "Service": "cloudtrail.amazonaws.com"
            },
            "Action": "kms:GenerateDataKey*",
            "Resource": "*",
            "Condition": {
                "StringLike": {
                    "kms:EncryptionContext:aws:cloudtrail:arn": "arn:aws:cloudtrail:*:<aws-account-id>:trail/*"
                }
            }
        },
        {
            "Sid": "Allow CloudTrail to describe key",
            "Effect": "Allow",
            "Principal": {
                "Service": "cloudtrail.amazonaws.com"
            },
            "Action": "kms:DescribeKey",
            "Resource": "*"
        },
        {
            "Sid": "Allow principals in the account to decrypt log files",
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": [
                "kms:Decrypt",
                "kms:ReEncryptFrom"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "kms:CallerAccount": "<aws-account-id>"
                },
                "StringLike": {
                    "kms:EncryptionContext:aws:cloudtrail:arn": "arn:aws:cloudtrail:*:<aws-account-id>:trail/*"
                }
            }
        },
        {
            "Sid": "Enable cross account log decryption",
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": [
                "kms:Decrypt",
                "kms:ReEncryptFrom"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "kms:CallerAccount": "<aws-account-id>"
                },
                "StringLike": {
                    "kms:EncryptionContext:aws:cloudtrail:arn": "arn:aws:cloudtrail:*:<aws-account-id>:trail/*"
                }
            }
        }
    ]
}

02 Run create-key command (OSX/Linux/UNIX) using the policy document created at the previous step (i.e. sse-kms-cmk-policy.json) as value for the --policy parameter, to create your new Amazon KMS Customer Master Key (CMK). The new CMK must be in the same AWS region as the S3 bucket that receives your CloudTrail log files: 

aws kms create-key
  --region us-east-1
  --description 'Customer Master Key for CloudTrail Log File Encryption'
  --policy file://sse-kms-cmk-policy.json
  --query 'KeyMetadata.Arn'

03 The command output should return the ARN of the new Customer Master Key (CMK): 

"arn:aws:kms:us-east-1:123456789012:key/abcd1234-abcd-1234-abcd-1234abcd1234"

04 Run create-alias command (OSX/Linux/UNIX) using the key ARN returned at the previous step to attach an alias to the new CMK. The alias must start with the prefix "alias/" (the command should not produce an output): 

aws kms create-alias
  --region us-east-1
  --alias-name alias/TrailLogCMK
  --target-key-id arn:aws:kms:us-east-1:123456789012:key/abcd1234-abcd-1234-abcd-1234abcd1234

05 Run update-trail command (OSX/Linux/UNIX) using the name of the Amazon CloudTrail trail that you want to reconfigure as the identifier parameter, to enable SSE-KMS encryption for the selected trail using your new Amazon KMS Customer Master Key (CMK): 

aws cloudtrail update-trail
  --region us-east-1
  --name cc-project5-api-trail
  --kms-key-id arn:aws:kms:us-east-1:123456789012:key/abcd1234-abcd-1234-abcd-1234abcd1234

06 The command output should return the metadata available for the reconfigured trail: 

{
    "IncludeGlobalServiceEvents": true,
    "IsOrganizationTrail": false,
    "Name": "cc-project5-api-trail",
    "TrailARN": "arn:aws:cloudtrail:us-east-1:123456789012:trail/cc-project5-api-trail",
    "LogFileValidationEnabled": false,
    "IsMultiRegionTrail": true,
    "S3BucketName": "cc-main-cloudtrail-logs",
    "KmsKeyId": "arn:aws:kms:us-east-1:123456789012:key/abcd1234-abcd-1234-abcd-1234abcd1234"
}

07 Repeat steps no. 1 – 6 for each Amazon CloudTrail trail that you want to reconfigure, available in your AWS cloud account.

References

Publication date Apr 14, 2016

Related CloudTrail rules