CloudTrail logs should be encrypted at rest using KMS CMKs

Description

AWS CloudTrail is a web service that records AWS API calls for an account and makes those logs available to users and resources per IAM policies. AWS Key Management Service (KMS) is a managed service that helps create and control the encryption keys used to encrypt account data. It uses Hardware Security Modules (HSMs) to protect the security of encryption keys. Configure your CloudTrail logs to leverage server-side encryption (SSE), and KMS customer-created master keys (CMK) to further protect CloudTrail logs. You should set up CloudTrail to use SSE-KMS.

Rationale

Configuring CloudTrail to use SSE-KMS provides additional confidentiality controls on log data. A given user must have S3 read permission on the corresponding log bucket and have decrypt permission by the CMK policy.

Impact

Customer created keys incur an additional cost. See https://aws.amazon.com/kms/pricing/ for more information.

Remediation

From the console

  1. Sign into the AWS Management Console and open the CloudTrail console.
  2. In the left navigation pane, choose Trails and select the trail you’d like to update.
  3. Under the S3 section, click on the edit button (pencil icon).
  4. Click Advanced.
  5. Select an existing CMK from the KMS key ID drop-down menu.
    • Ensure the CMK is located in the same region as the S3 bucket.
    • You need to apply a KMS key policy on the selected CMK in order for CloudTrail as a service to encrypt and decrypt log files using the CMK provided. See create KMS key policy for steps to edit the selected CMK Key policy.
  6. Click Save.
  7. A notification message appears stating that you need to have decrypt permissions on the specified KMS key to decrypt log files.
  8. Click Yes.

From the command line

aws cloudtrail update-trail --name <trail_name> --kms-id <cloudtrail_kms_key>
aws kms put-key-policy --key-id <cloudtrail_kms_key> --policy <cloudtrail_kms_key_policy>

Additional information

CMK policy configuration

Add the following three statements to the CMK policy:

  1. Enable Cloudtrail to describe CMK properties:

    { 
      "Sid": "Allow CloudTrail access",
      "Effect": "Allow",
      "Principal": {
        "Service": "cloudtrail.amazonaws.com" 
       },
       "Action": "kms:DescribeKey",
       "Resource": "*"
    }
    
  2. Granting encrypt permissions:

    { 
      "Sid": "Allow CloudTrail to encrypt logs",
      "Effect": "Allow",
      "Principal": {
        "Service": "cloudtrail.amazonaws.com" 
       },
       "Action": "kms:GenerateDataKey*",
       "Resource": "*",
       "Condition": {
         "StringLike": { 
           "kms:EncryptionContext:aws:cloudtrail:arn": [
             "arn:aws:cloudtrail:*:aws-account-id:trail/*"
           ]
         }
       }
    }
    
  3. Granting decrypt permissions:

    { 
      "Sid": "Enable CloudTrail log decrypt permissions",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::aws-account-id:user/username"
       },
       "Action": "kms:Decrypt",
       "Resource": "*",
       "Condition": {
         "Null": { 
           "kms:EncryptionContext:aws:cloudtrail:arn": "false"
         }
       }
    }
    

References

  1. https://docs.aws.amazon.com/awscloudtrail/latest/userguide/encrypting-cloudtrail-log-files-with-aws-kms.html
  2. https://docs.aws.amazon.com/kms/latest/developerguide/create-keys.html