More Info:

Cloudwatch loggroups should be encrypted

Risk Level

High

Address

Security

Compliance Standards

HIPAA,PCIDSS,GDPR,CISAWS,CBP,NIST,SOC2,AWSWAF,SEBI,RBI_UCB

Triage and Remediation

Remediation

Using Console

Enabling encryption from console has some limitations, AWS does not allow KMS Key association with Log Groups from Console. Reference Link
  1. Create an AWS KMS Key:
    aws kms create-key
    
  2. Set Permissions on the KMS Key:
    • Retrieve the default policy for the key:
      aws kms get-key-policy --key-id <key-id> --policy-name default --output text > ./policy.json
      
    • Edit policy.json to include the necessary permissions as described in the documentation.
    • Apply the updated policy to the key:
      aws kms put-key-policy --key-id <key-id> --policy-name default --policy file://policy.json
      
  3. Associate the KMS Key with a Log Group:
    • To associate the key during log group creation:
      aws logs create-log-group --log-group-name <log-group-name> --kms-key-id <key-arn>
      
    • To associate the key with an existing log group:
      aws logs associate-kms-key --log-group-name <log-group-name> --kms-key-id <key-arn>
      
  4. Disassociate Key from a Log Group (if needed):
    aws logs disassociate-kms-key --log-group-name <log-group-name>
    
You can use the boto3 library in Python to achieve the same tasks programmatically.
  1. Create an AWS KMS Key:
    import boto3
    
    kms = boto3.client('kms')
    response = kms.create_key()
    
  2. Set Permissions on the KMS Key:
    • Retrieve, edit, and apply the policy similar to the AWS CLI method.
  3. Associate the KMS Key with a Log Group:
    import boto3
    
    logs = boto3.client('logs')
    logs.create_log_group(logGroupName='<log-group-name>', kmsKeyId='<key-arn>')
    
  4. Disassociate Key from a Log Group (if needed):
    import boto3
    
    logs = boto3.client('logs')
    logs.disassociate_kms_key(logGroupName='<log-group-name>')
    
Ensure you replace placeholders such as <key-id>, <key-arn>, and <log-group-name> with actual values in the commands or code snippets. Also, review and adjust the permissions and conditions according to your specific requirements.