AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
CloudWatch Log Groups Should Be Encrypted With CMK
More Info:
Cloudwatch loggroups should be encrypted
Risk Level
High
Address
Security
Compliance Standards
HIPAA,PCIDSS,GDPR,CISAWS,CBP,NIST,SOC2,AWSWAF,SEBI,RBI_UCB
Triage and Remediation
Remediation
Enabling encryption from console has some limitations, AWS does not allow KMS Key association with Log Groups from Console. Reference Link
-
Create an AWS KMS Key:
aws kms create-key -
Set Permissions on the KMS Key:
- Retrieve the default policy for the key:
aws kms get-key-policy --key-id <key-id> --policy-name default --output text > ./policy.json - Edit
policy.jsonto include the necessary permissions as described in the documentation. - Apply the updated policy to the key:
aws kms put-key-policy --key-id <key-id> --policy-name default --policy file://policy.json
- Retrieve the default policy for the key:
-
Associate the KMS Key with a Log Group:
- To associate the key during log group creation:
aws logs create-log-group --log-group-name <log-group-name> --kms-key-id <key-arn> - To associate the key with an existing log group:
aws logs associate-kms-key --log-group-name <log-group-name> --kms-key-id <key-arn>
- To associate the key during log group creation:
-
Disassociate Key from a Log Group (if needed):
aws logs disassociate-kms-key --log-group-name <log-group-name>
You can use the boto3 library in Python to achieve the same tasks programmatically.
-
Create an AWS KMS Key:
import boto3 kms = boto3.client('kms') response = kms.create_key() -
Set Permissions on the KMS Key:
- Retrieve, edit, and apply the policy similar to the AWS CLI method.
-
Associate the KMS Key with a Log Group:
import boto3 logs = boto3.client('logs') logs.create_log_group(logGroupName='<log-group-name>', kmsKeyId='<key-arn>') -
Disassociate Key from a Log Group (if needed):
import boto3 logs = boto3.client('logs') logs.disassociate_kms_key(logGroupName='<log-group-name>')
Ensure you replace placeholders such as <key-id>, <key-arn>, and <log-group-name> with actual values in the commands or code snippets. Also, review and adjust the permissions and conditions according to your specific requirements.