CloudTrail logs are not encrypted
Incident Management が一般に使用できるようになりました。 Incident Management が広範に使用できるようになりました。
<  Back to rules search

CloudTrail logs are not encrypted

cloudtrail

Classification:

compliance

Set up the cloudtrail integration.

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。

Overview

Description

Ensure that AWS CloudTrail logs are encrypted.

Rationale

Encrypting AWS CloudTrail logs with a KMS encryption key helps protect your data and ensures only certain IAM users can access these logs.

Remediation

  1. Create a new policy configuration file that enables CloudTrail encrypting and decrypting permissions.

  2. Run create-key using the policy file path.

    create-key.sh

        aws kms create-key
            --policy new-policy-file.json
        
  3. Run create-alias with a newly created alias name and the target-key-id as the KMS key returned in step 2.

    create-alias.sh

        aws kms create-alias
            --alias-name alias/CloudTrailKSM
            --target-key-id 12345678-abcd-1a2b-1234-012345678901
        
  4. Run update-trail on the trail name you wish to update and the KMS key returned in step 2.

    update-trail.sh

        aws cloudtrail update-trail
            --name MyGlobalTrail
            --kms-key-id 12345678-abcd-1a2b-1234-012345678901