CloudTrail Logs Encrypted

Risk Level: Medium (should be achieved)

Rule ID: CT-008

Ensure that your Amazon CloudTrail logs are encrypted at rest using Server-Side Encryption provided by Key Management Service (KMS) to enhance the security of your CloudTrail bucket and allow you to have better control over who can read the CloudTrail log files within your organization.

This rule can help you with the following compliance standards:

CISAWSF
PCI
HIPAA
GDPR
APRA
MAS
NIST4

For further details on compliance standards supported by TrendAI Vision One™ Cloud Risk Management, see here.

This rule can help you work with the AWS Well-Architected Framework.

Security

Enabling Amazon CloudTrail log file encryption using SSE-KMS will facilitate a strong security layer that is directly manageable by you using your own Customer Master Keys (CMKs) rather than allowing Amazon S3 to manage it by default using S3-Managed Encryption Keys (SSE-S3).

Audit

To determine if your Amazon CloudTrail trails are configured to encrypt log files using SSE-KMS, perform the following actions:

Using AWS Console

Sign in to the AWS Management Console.
Navigate to Amazon CloudTrail console at https://console.aws.amazon.com/cloudtrail/.
In the navigation panel, under CloudTrail, choose Trails.
Click on the name (link) of the Amazon CloudTrail trail that you want to examine.
In the General details section, check the Log file SSE-KMS encryption attribute value. If the Log file SSE-KMS encryption value is set to Not enabled, the selected Amazon CloudTrail trail is not configured to encrypt log files using SSE-KMS encryption.
Repeat steps no. 4 and 5 for each Amazon CloudTrail trail created for your AWS cloud account.

Using AWS CLI

Run list-trails command (OSX/Linux/UNIX) with custom query filters to list the names of all the Amazon CloudTrail trails created for your AWS cloud account:
```
aws cloudtrail list-trails
  --region us-east-1
  --query 'Trails[*].Name'
```
The command output should return an array with the requested CloudTrail trail names:
```
[
    "cc-project5-api-trail",
    "cc-data-events-trail"
]
```
Run describe-trails command (OSX/Linux/UNIX) using the name of the Amazon CloudTrail trail that you want to examine as the identifier parameter and custom query filters to describe the Amazon Resource Name (ARN) of the KMS key configured to encrypt the log files delivered by the selected trail:
```
aws cloudtrail describe-trails
  --region us-east-1
  --trail-name-list cc-project5-api-trail
  --query 'trailList[*].KmsKeyId'
```
The command output should return the requested KMS key ARN:
```
[]
```
If the describe-trails command output returns and empty array (i.e. []), as shown in the example above, the selected Amazon CloudTrail trail is not configured to encrypt log files using SSE-KMS encryption.
Repeat steps no. 3 and 4 for each Amazon CloudTrail trail available within your AWS cloud account.

Remediation / Resolution

To enable SSE-KMS encryption for your existing Amazon CloudTrail trails, perform the following actions:

Using AWS CloudFormation

CloudFormation template (JSON):

{
				"AWSTemplateFormatVersion": "2010-09-09",
				"Description": "Enable SSE-KMS Encryption with Customer Master Key (CMK)",
				"Parameters": {
					"TrailName": {
						"Type": "String"
					},
					"BucketName": {
						"Type": "String"
					},
					"S3BucketKeyPrefix": {
						"Type": "String"
					}
				},
				"Resources": {
					"Trail": {
						"Type": "AWS::CloudTrail::Trail",
						"Properties": {
							"TrailName": {
								"Ref": "TrailName"
							},
							"S3BucketName": {
								"Ref": "BucketName"
							},
							"S3KeyPrefix": {
								"Ref": "S3BucketKeyPrefix"
							},
							"IsLogging": true,
							"KMSKeyId": "arn:aws:kms:us-east-1:123456789012:key/abcd1234-abcd-1234-abcd-1234abcd1234"
						}
					}
				}
}

CloudFormation template (YAML):

AWSTemplateFormatVersion: '2010-09-09'
Description: Enable SSE-KMS Encryption with Customer Master Key (CMK)
Parameters:
				TrailName:
				Type: String
				BucketName:
				Type: String
				S3BucketKeyPrefix:
				Type: String
Resources:
				Trail:
				Type: AWS::CloudTrail::Trail
				Properties:
				TrailName: !Ref 'TrailName'
				S3BucketName: !Ref 'BucketName'
				S3KeyPrefix: !Ref 'S3BucketKeyPrefix'
				IsLogging: true
				KMSKeyId: arn:aws:kms:us-east-1:123456789012:key/abcd1234-abcd-1234-abcd-1234abcd1234

Using Terraform (AWS Provider)

Terraform configuration file (.tf):

terraform {
				required_providers {
				aws = {
				source  = "hashicorp/aws"
				version = "~> 3.27"
				}
				}

				required_version = ">= 0.14.9"
}

provider "aws" {
				profile = "default"
				region  = "us-east-1"
}

data "aws_caller_identity" "current-account" {}

resource "aws_s3_bucket" "trail-s3-bucket" {

				bucket        = "cc-main-cloudtrail-bucket"
				force_destroy = true
				policy = <<POLICY
				{
				"Version": "2012-10-17",
				"Statement": [
					{
						"Sid": "AWSCloudTrailAclCheck",
						"Effect": "Allow",
						"Principal": {
							"Service": "cloudtrail.amazonaws.com"
						},
						"Action": "s3:GetBucketAcl",
						"Resource": "arn:aws:s3:::cc-main-cloudtrail-bucket"
					},
					{
						"Sid": "AWSCloudTrailWrite",
						"Effect": "Allow",
						"Principal": {
							"Service": "cloudtrail.amazonaws.com"
						},
						"Action": "s3:PutObject",
						"Resource": "arn:aws:s3:::cc-main-cloudtrail-bucket/cc-trail-logs/AWSLogs/${data.aws_caller_identity.current-account.account_id}/*",
						"Condition": {
							"StringEquals": {
								"s3:x-amz-acl": "bucket-owner-full-control"
							}
						}
					}
				]
				}
				POLICY

}

resource "aws_cloudtrail" "cloudtrail-trail" {

				name                          = "cc-main-cloud-trail"
				s3_bucket_name                = aws_s3_bucket.trail-s3-bucket.id
				s3_key_prefix                 = "cc-trail-logs"
				enable_logging                = true

				# Enable SSE-KMS Encryption with Customer Master Key (CMK)
				kms_key_id = "arn:aws:kms:us-east-1:123456789012:key/abcd1234-abcd-1234-abcd-1234abcd1234"

}

Using AWS Console

Sign in to the AWS Management Console.
Navigate to Amazon CloudTrail console at https://console.aws.amazon.com/cloudtrail/.
In the navigation panel, under CloudTrail, choose Trails.
Click on the name (link) of the Amazon CloudTrail trail that you want to reconfigure.
In the General details section choose Edit to change the configuration settings available for the selected trail.
On the Edit trail configuration page, in the General details section, perform the following operations:
1. Select Enabled under Log file SSE-KMS encryption to enable SSE-KMS encryption for the selected trail.
2. For Customer managed AWS KMS key, choose New to create a new Amazon KMS Customer Master Key for log files encryption, and provide a unique name (alias) for the new key in the AWS KMS alias box. To use an existing Customer Master Key (CMK), choose Existing, and select the name/alias of the desired CMK from the AWS KMS alias box. The existing CMK must be in the same AWS region as the S3 bucket that receives your CloudTrail log files.
3. Choose Save changes to apply the changes.
Repeat steps no. 4 – 6 for each Amazon CloudTrail trail that you want to reconfigure, available within your AWS cloud account.

Using AWS CLI

Define the key policy that enables Amazon CloudTrail to encrypt log files using the KMS API. Create a new policy document (JSON format), name the file sse-kms-cmk-policy.json, and paste the following content (replace the highlighted details with your own AWS account details):

{
				"Version": "2012-10-17",
				"Id": "sse-kms-key-policy",
				"Statement": [
					{
						"Sid": "Enable IAM User Permissions",
						"Effect": "Allow",
						"Principal": {
							"AWS": "arn:aws:iam::<aws-account-id>:root"
						},
						"Action": "kms:*",
						"Resource": "*"
					},
					{
						"Sid": "Allow CloudTrail to encrypt logs",
						"Effect": "Allow",
						"Principal": {
							"Service": "cloudtrail.amazonaws.com"
						},
						"Action": "kms:GenerateDataKey*",
						"Resource": "*",
						"Condition": {
							"StringLike": {
								"kms:EncryptionContext:aws:cloudtrail:arn": "arn:aws:cloudtrail:*:<aws-account-id>:trail/*"
							}
						}
					},
					{
						"Sid": "Allow CloudTrail to describe key",
						"Effect": "Allow",
						"Principal": {
							"Service": "cloudtrail.amazonaws.com"
						},
						"Action": "kms:DescribeKey",
						"Resource": "*"
					},
					{
						"Sid": "Allow principals in the account to decrypt log files",
						"Effect": "Allow",
						"Principal": {
							"AWS": "*"
						},
						"Action": [
							"kms:Decrypt",
							"kms:ReEncryptFrom"
						],
						"Resource": "*",
						"Condition": {
							"StringEquals": {
								"kms:CallerAccount": "<aws-account-id>"
							},
							"StringLike": {
								"kms:EncryptionContext:aws:cloudtrail:arn": "arn:aws:cloudtrail:*:<aws-account-id>:trail/*"
							}
						}
					},
					{
						"Sid": "Enable cross account log decryption",
						"Effect": "Allow",
						"Principal": {
							"AWS": "*"
						},
						"Action": [
							"kms:Decrypt",
							"kms:ReEncryptFrom"
						],
						"Resource": "*",
						"Condition": {
							"StringEquals": {
								"kms:CallerAccount": "<aws-account-id>"
							},
							"StringLike": {
								"kms:EncryptionContext:aws:cloudtrail:arn": "arn:aws:cloudtrail:*:<aws-account-id>:trail/*"
							}
						}
					}
				]
}

Run create-key command (OSX/Linux/UNIX) using the policy document created at the previous step (i.e. sse-kms-cmk-policy.json) as value for the --policy parameter, to create your new Amazon KMS Customer Master Key (CMK). The new CMK must be in the same AWS region as the S3 bucket that receives your CloudTrail log files:
```
aws kms create-key
				--region us-east-1
				--description 'Customer Master Key for CloudTrail Log File Encryption'
				--policy file://sse-kms-cmk-policy.json
				--query 'KeyMetadata.Arn'
```

The command output should return the ARN of the new Customer Master Key (CMK):

"arn:aws:kms:us-east-1:123456789012:key/abcd1234-abcd-1234-abcd-1234abcd1234"

Run create-alias command (OSX/Linux/UNIX) using the key ARN returned at the previous step to attach an alias to the new CMK. The alias must start with the prefix "alias/" (the command should not produce an output):
```
aws kms create-alias
				--region us-east-1
				--alias-name alias/TrailLogCMK
				--target-key-id arn:aws:kms:us-east-1:123456789012:key/abcd1234-abcd-1234-abcd-1234abcd1234
```
Run update-trail command (OSX/Linux/UNIX) using the name of the Amazon CloudTrail trail that you want to reconfigure as the identifier parameter, to enable SSE-KMS encryption for the selected trail using your new Amazon KMS Customer Master Key (CMK):
```
aws cloudtrail update-trail
				--region us-east-1
				--name cc-project5-api-trail
				--kms-key-id arn:aws:kms:us-east-1:123456789012:key/abcd1234-abcd-1234-abcd-1234abcd1234
```

The command output should return the metadata available for the reconfigured trail:

{
				"IncludeGlobalServiceEvents": true,
				"IsOrganizationTrail": false,
				"Name": "cc-project5-api-trail",
				"TrailARN": "arn:aws:cloudtrail:us-east-1:123456789012:trail/cc-project5-api-trail",
				"LogFileValidationEnabled": false,
				"IsMultiRegionTrail": true,
				"S3BucketName": "cc-main-cloudtrail-logs",
				"KmsKeyId": "arn:aws:kms:us-east-1:123456789012:key/abcd1234-abcd-1234-abcd-1234abcd1234"
}

Repeat steps no. 1 – 6 for each Amazon CloudTrail trail that you want to reconfigure, available in your AWS cloud account.

References

AWS Command Line Interface (CLI) Documentation
cloudtrail
list-trails
describe-trails
update-trail
kms
create-key
create-alias

CloudFormation Documentation
AWS CloudTrail resource type reference

Terraform Documentation
AWS Provider

Publication date Apr 14, 2016

Audit

Using AWS Console

Using AWS CLI

Remediation / Resolution

Using AWS CloudFormation

Using Terraform (AWS Provider)

Using AWS Console

Using AWS CLI

References

Related CloudTrail rules