1. F5 Distributed Cloud App Infrastructure Protection (AIP) Support
  2. Getting Started
  3. Integrations

Enable Encryption for your CloudTrail Log Files

You can enable KMS encryption for your CloudTrail log files.

  1. Log into the AWS Console and go to IAM > Encryption Keys > Create Key. The Add alias and description page displays. Enter an alias and a description for the key, then click Next.


    CreateAlias.png

    The Add tags page displays.
  2. Optionally, add tags to categorize and identify your customer master keys (CMKs). Click Next.

    AddTags.png

    The Define key administrative permissions page displays.
  3. Click Next.


    DefineKeyPerms.png

    The Define key usage permissions page displays.
  4. Click Next.


    DefineKeyUsage.png

    The Review and edit key policy page displays.


    EditKeyPolicy.png

  5. Copy the following key policy and paste it at the end of the first statement:

    {
    "Sid": "Allow CloudTrail to encrypt logs",
    "Effect": "Allow",
    "Principal": {
    "Service": "cloudtrail.amazonaws.com"
    },
    "Action": "kms:GenerateDataKey*",
    "Resource": "*",
    "Condition": {
    "StringLike": {
    "kms:EncryptionContext:aws:cloudtrail:arn": [
    "CLOUDTRAIL_ARN_HERE"
    ]
    }
    }
    },
    {
    "Sid": "Enable CloudTrail log decrypt permissions",
    "Effect": "Allow",
    "Principal": {
    "AWS": "TS_IAM_ROLE_HERE"
    },
    "Action": "kms:Decrypt",
    "Resource": "*",
    "Condition": {
    "Null": {
    "kms:EncryptionContext:aws:cloudtrail:arn": "false"
    }
    }
    },
    {
    "Sid": "Allow CloudTrail access",
    "Effect": "Allow",
    "Principal": {
    "Service": "cloudtrail.amazonaws.com"
    },
    "Action": "kms:DescribeKey",
    "Resource": "*"
    }

  6. In the “CLOUDTRAIL_ARN_HERE” line, replace the text with arn:aws:cloudtrail:*:AWS_ACCOUNT_NUMBER:trail/TRAIL_NAME.
    • AWS_ACOUNT_NUMBER: Indicates your AWS account number
    • TRAIL_NAME: Indicates your CloudTrail name
  7. In the “TS_IAM_ROLE_HERE” line, replace the text with the IAM Role ARN used to integrate your AWS account with F5 Distributed Cloud App Infrastructure Protection (AIP).
  8. Click Finish to complete the key creation process.
  9. Navigate to the CloudTrail service. Click Trails to display the Trails page.


    TrailsPage.png

  10. Navigate to the trail for which you would like encryption enabled. Select the edit icon for the Storage location section.
  11. In the Create a new S3 bucket section, confirm the No radio button is selected.


    StorageKMSEncrypt.png

    1. In the Encrypt log files with SSE-KMS section, select the Yes radio button.
    2. In the Create a new KMS key section, select the No radio button.
    3. In the KMS key field, select the newly created key from the dropdown menu.
  12. Click Save to register your selections.
Was this article helpful?
0 out of 0 found this helpful

Table of Contents

Related articles