Ensure CloudTrail logs are encrypted at rest using KMS CMKs

Perform the following to configure CloudTrail to use SSE-KMS:

Via the Management Console

1. Sign in to the AWS Management Console and open the CloudTrail console at https://console.aws.amazon.com/cloudtrail
2. In the left navigation pane, choose Trails .
3. Click on a Trail
4. Under the S3 section click on the edit button (pencil icon)
5. Click Advanced
6. Select an existing CMK from the KMS key Id drop-down menu

• Note: Ensure the CMK is located in the same region as the S3 bucket
• Note: You will need to apply a KMS Key policy on the selected CMK in order for CloudTrail as a service to encrypt and decrypt log files using the CMK provided. Steps are provided here for editing the selected CMK Key policy

1. Click Save
2. You will see a notification message stating that you need to have decrypt permissions on the specified KMS key to decrypt log files.
3. Click Yes

Via CLI

aws cloudtrail update-trail --name <trail_name> --kms-id <cloudtrail_kms_key>
aws kms put-key-policy --key-id <cloudtrail_kms_key> --policy <cloudtrail_kms_key_policy>

Impact

Customer created keys incur an additional cost. See https://aws.amazon.com/kms/pricing/ for more information.

References

1. CIS CSC v6.0 #13.1: Perform an assessment of data to identify sensitive information.
2. https://docs.aws.amazon.com/awscloudtrail/latest/userguide/encrypting-cloudtrail-log-files-with-aws-kms.html
3. https://docs.aws.amazon.com/kms/latest/developerguide/create-keys.html
4. CIS CSC v6.0 #6: Maintenance, Monitoring, and Analysis of Audit Logs
5. CCE-78919-8

Notes

3 statements which need to be added to the CMK policy:

1. Enable Cloudtrail to describe CMK properties

json```json { "Sid": "Allow CloudTrail access", "Effect": "Allow", "Principal": { "Service": "cloudtrail.amazonaws.com" }, "Action": "kms:DescribeKey", "Resource": "*" }

2. Granting encrypt permissions

```json
{ "Sid": "Allow CloudTrail to encrypt logs",
"Effect": "Allow",
"Principal": {
"Service": "cloudtrail.amazonaws.com" },
  "Action": "kms:GenerateDataKey*",
  "Resource": "*",
  "Condition": {
"StringLike": { "kms:EncryptionContext:aws:cloudtrail:arn": [
"arn:aws:cloudtrail:*:aws-account-id:trail/*" ]
} }
}

1. Granting decrypt permissions

{ "Sid": "Enable CloudTrail log decrypt permissions", "Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::aws-account-id:user/username" },
"Action": "kms:Decrypt",
  "Resource": "*",
  "Condition": {
"Null": {
"kms:EncryptionContext:aws:cloudtrail:arn": "false"
} }
}

Service-wide remediation

Recommended when many resources are affected: fix the platform baseline first so new resources inherit the secure setting, then remediate the existing flagged resources in batches.

AWS

Use AWS Organizations guardrails, AWS Config rules or conformance packs where they fit, approved account baselines, and IaC modules so new resources inherit the secure setting.

Operational rollout

1. Fix the baseline first at the account, subscription, project, cluster, or tenant scope that owns this control.
2. Remediate the currently affected resources in batches, starting with internet-exposed and production assets.
3. Re-scan and track approved exceptions with an owner and expiry date.