CloudWatch Log Groups Should Be Encrypted With CMK
More Info:
Cloudwatch loggroups should be encryptedRisk Level
HighAddress
SecurityCompliance Standards
HIPAA,PCIDSS,GDPR,CISAWS,CBP,NIST,SOC2,AWSWAF,SEBI,RBI_UCBTriage and Remediation
Remediation
Using Console
Using Console
Enabling encryption from console has some limitations, AWS does not allow KMS Key association with Log Groups from Console.
Reference Link
Using CLI
Using CLI
-
Create an AWS KMS Key:
-
Set Permissions on the KMS Key:
- Retrieve the default policy for the key:
- Edit
policy.jsonto include the necessary permissions as described in the documentation. - Apply the updated policy to the key:
- Retrieve the default policy for the key:
-
Associate the KMS Key with a Log Group:
- To associate the key during log group creation:
- To associate the key with an existing log group:
- To associate the key during log group creation:
-
Disassociate Key from a Log Group (if needed):
Using Python
Using Python
You can use the
boto3 library in Python to achieve the same tasks programmatically.-
Create an AWS KMS Key:
-
Set Permissions on the KMS Key:
- Retrieve, edit, and apply the policy similar to the AWS CLI method.
-
Associate the KMS Key with a Log Group:
-
Disassociate Key from a Log Group (if needed):
<key-id>, <key-arn>, and <log-group-name> with actual values in the commands or code snippets. Also, review and adjust the permissions and conditions according to your specific requirements.