Drata validates that AWS CloudTrail logs are encrypted at rest using AWS KMS customer created master keys (CMKs). AWS CloudTrail is a web service that records AWS API calls for an account and makes those logs available to users and resources in accordance with IAM policies. AWS Key Management Service (KMS) is a managed service that helps create and control the encryption keys used to encrypt account data, and uses Hardware Security Modules (HSMs) to protect the security of encryption keys. CloudTrail logs can be configured to leverage server side encryption (SSE) and KMS customer created master keys (CMK) to further protect CloudTrail logs. It is recommended that CloudTrail be configured to use SSE-KMS.
Configuring CloudTrail to use SSE-KMS provides additional confidentiality controls on log data as a given user must have S3 read permission on the corresponding log bucket and must be granted decrypt permission by the CMK policy.
ASSOCIATED DRATA CONTROL
This test is part of the Encryption at Rest control (DCF-54) that ensures data at rest is encrypted using strong cryptographic algorithms.
WHAT TO DO IF A TEST FAILS
If Drata finds that CloudTrail is not configured to be encrypted at rest using KMS CMKs, the test will fail. CloudTrail logs can be configured to leverage server side encryption (SSE) and KMS customer created master keys (CMK) to further protect CloudTrail logs. It is recommended that CloudTrail be configured to use SSE-KMS. Configuring CloudTrail to use SSE-KMS provides additional confidentiality controls on log data as a given user must have S3 read permission on the corresponding log bucket and must be granted decrypt permission by the CMK policy.
STEPS TO REMEDIATE
Note: Repeat for all Trails failing this test.
Sign in to the AWS Management Console and open the CloudTrail console.
In the left navigation pane, choose 'Trails' and select a Trail that's failing this test.
Under the 'S3' section click on the pencil icon to edit then click 'Advanced'.
Select an existing CMK from the 'KMS key Id' drop-down menu and click 'Save'.
Note: Ensure the CMK is located in the same region as the S3 bucket. You will need to apply a KMS Key policy on the selected CMK in order for CloudTrail as a service to encrypt and decrypt log files using the CMK provided.
You will see a notification message stating that you need to have decrypt permissions on the specified KMS key to decrypt log files.
Click 'Yes'.
Center for Internet Security (CIS)
This test aligns with the Center for Internet Security’s (CIS) foundation benchmarks which provides prescriptive guidance for establishing a secure baseline configuration for Amazon Web Services. To learn more, refer to the Center for Internet Security (CIS) section.