CloudTrail log data encryption using Key Management Service (KMS)

Do you know the security and manual management of CloudTrail logs with your CMKs can be easier than ever before? AWS delivers your CloudTrail logs to your S3-bucket which are encrypted by Amazon server-side encryption method and Amazon S3-managed encryption keys (SSE-S3) by default. To add an extra layer of security which is directly manageable, you can use server-side encryption with AWS KMS (Key Management Service). KMS also manages keys (SSE-KMS) for your CloudTrail log files. This additional setting not only adds a layer of security but also add the benefits of Keys Management Services such as:

1. You can create and manage your CMK encryption keys.
2. For encryption and decryption of your log files, you can use single CMK; even for multiple accounts in all region.
3. Also, you can assign permissions to your organization’s users for encryption and decryption with your key.

How can you leverage the Key Management Service (KMS) for CloudTrail Log Encryption?

To implement this feature, you don’t have to do much. All you need to do is to create and manage your KMS key, which is your Customer Master Key (CMK). Then assign a policy to it with which you can assign the users, the rights of encryption and decryption of your CloudTrail log files. This also makes your S3 decryption seamless. This means, when an authorized user of the key reads a CloudTrail Log file, S3 ensures that the user reads the decrypted form only.

Why do you need supervision of Centilytics?

Centilytics checks and warns you about the log files that are not encrypted. For better understanding, our CloudTrail log encryption insight lists down the trail name of your CloudTrail log along with its respective Account ID and KMS ID. It becomes easier to understand that your logs are encrypted or not.

Insight Description:

	Ok:  CloudTrail Logs has been encrypted at rest.
	Critical:  CloudTrail logs haven’t been encrypted

 

Description of further columns are as follows:

Account Id: Shows the respective account ID of the user’s account.

Account Name: Shows corresponding account name to the user’s account.

Region: This column shows the region of your instance where it has been used.

Identifier: Shows you the service with its trial name.

Trail Name: Shows the name of the trail that you have entered while creating your trial.

KMS ID: Show the ID which is used to encrypt your CloudTrail logs.

Filters Applicable:

Filter Name	Description
Account Id	Applying account Id filter will display all the public snapshots for the selected account Id.
Region	Applying the region filter will display all the public snapshots corresponding to the selected region.
Severity	Applying severity filter will display public snapshots according to the selected severity type i.e. selecting critical will display all instances with critical severity. Same will be the case for Warning and Ok severity types.
Resource Tags	Applying resource tags filter will display those public snapshots which have been assigned the selected resource tag. For e.g., If a user has tagged some public snapshots by a resource tag named environment, then selecting an environment from the resource tags filter will display all those snapshots.
Resource Tags Value	Applying resource tags value filter will display data which will have the selected resource tag value. For e.g. – Let’s say a user has tagged some resource by a tag named environment and has a value say production (environment: production). Hence, the user can view data of all the resources which are tagged as “environment: production”. The user can use the tag value filter only when a tag name has been provided.
Compliance	Applying Compliance filter, you can further refine your security and health checks.

 

Read more about encryption of Amazon CloudTrail logs.